[linux] 02/04: Update to 3.16.42
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sun Apr 2 01:34:15 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch jessie
in repository linux.
commit 83509f3ea4e2c31c01f2ec57f3291a219b19e3b5
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Sun Apr 2 02:11:44 2017 +0100
Update to 3.16.42
Drop many patches that went upstream.
Fix/ignore/revert various ABI changes as appropriate.
---
debian/changelog | 566 ++++++++++++++-
debian/config/defines | 6 +
.../TTY-n_hdlc-fix-lockdep-false-positive.patch | 101 ---
.../alsa-pcm-call-kill_fasync-in-stream-lock.patch | 43 --
...reeing-skb-too-early-for-IPV6_RECVPKTINFO.patch | 47 --
.../all/dccp-limit-sk_filter-trim-to-payload.patch | 94 ---
.../fbdev-color-map-copying-bounds-checking.patch | 80 ---
...entry-to-inode_change_ok-instead-of-inode.patch | 678 ------------------
...-propagate-dentry-down-to-inode_change_ok.patch | 68 --
.../hid-core-prevent-out-of-bound-readings.patch | 43 --
.../all/ip6_gre-fix-ip6gre_err-invalid-reads.patch | 98 ---
...pc-shm-Fix-shmat-mmap-nil-page-protection.patch | 76 --
...-skb-dst-around-in-presence-of-ip-options.patch | 43 --
...fix-lockdep-annotations-in-hashbin_delete.patch | 84 ---
...ix-null-ptr-dereference-in-mpi_powm-ver-3.patch | 96 ---
...signed-overflows-for-so_-snd-rcv-bufforce.patch | 45 --
.../all/net-llc-avoid-BUG_ON-in-skb_orphan.patch | 59 --
...-check-minimum-size-on-icmp-header-length.patch | 67 --
.../bugfix/all/net-sock-add-sock_efree.patch | 34 -
...fnetlink-correctly-validate-length-of-bat.patch | 71 --
...ket-fix-race-condition-in-packet_set_ring.patch | 88 ---
.../all/packet-fix-races-in-fanout_add.patch | 72 --
.../bugfix/all/perf-Fix-event-ctx-locking.patch | 501 -------------
...ix-concurrent-sys_perf_event_open-vs.-mov.patch | 152 ----
.../bugfix/all/perf-do-not-double-free.patch | 47 --
.../bugfix/all/perf-fix-race-in-swevent-hash.patch | 92 ---
...entry-to-inode_change_ok-instead-of-inode.patch | 779 ---------------------
.../all/rose-limit-sk_filter-trim-to-payload.patch | 94 ---
...sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch | 40 --
...eeloff-operation-on-asocs-with-threads-sl.patch | 66 --
...lidate-chunk-len-before-actually-using-it.patch | 54 --
.../selinux-fix-off-by-one-in-setprocattr.patch | 61 --
...uble-free-when-drives-detach-during-sg_io.patch | 66 --
...g_write-is-not-fit-to-be-called-under-ker.patch | 42 --
...-added-by-grab_header-in-proc_sys_readdir.patch | 83 ---
...cp-avoid-infinite-loop-in-tcp_splice_read.patch | 48 --
...ake-care-of-truncations-done-by-sk_filter.patch | 98 ---
...pfs-clear-s_isgid-when-setting-posix-acls.patch | 41 --
.../tty-n_hdlc-get-rid-of-racy-n_hdlc.tbuf.patch | 314 ---------
...-ldisc-drivers-from-re-using-stale-tty-fi.patch | 74 --
.../all/usb-gadget-f_fs-fix-use-after-free.patch | 32 -
...-kl5kusb105-fix-line-state-error-handling.patch | 37 -
...-propagate-dentry-down-to-inode_change_ok.patch | 210 ------
.../fix-potential-infoleak-in-older-kernels.patch | 63 --
.../kvm-fix-page-struct-leak-in-handle_vmon.patch | 40 --
...o-intercept-software-exceptions-bp-and-of.patch | 62 --
...p-error-recovery-in-em_jmp_far-and-em_ret.patch | 125 ----
...x86-fix-emulation-of-mov-ss-null-selector.patch | 104 ---
.../kvm-x86-introduce-segmented_write_std.patch | 59 --
.../arm64-ptrace-avoid-abi-change-in-3.16.42.patch | 23 +
...e-for-mmc-core-annotate-cmd_hdr-as-__le32.patch | 26 +
...change-for-net-fix-sk_mem_reclaim_partial.patch | 80 +++
...smp_send_stop-with-kdump-friendly-version.patch | 168 +++++
...e-for-mnt-add-a-per-mount-namespace-limit.patch | 25 +
.../all/net-add-__sock_queue_rcv_skb.patch | 63 --
...spend-resume-quirks-for-apple-thunderbolt.patch | 4 +-
debian/patches/series | 53 +-
57 files changed, 900 insertions(+), 5485 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 76fe2ef..b024001 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,7 +1,571 @@
-linux (3.16.39-2) UNRELEASED; urgency=medium
+linux (3.16.42-1) UNRELEASED; urgency=medium
+
+ * New upstream stable update:
+ https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.40
+ - [x86] drm/i915/vlv: Make intel_crt_reset() per-encoder
+ - [x86] drm/i915/vlv: Reset the ADPA in vlv_display_power_well_init()
+ - fbdev/efifb: Fix 16 color palette entry calculation
+ - [s390*] zfcp: fix fc_host port_type with NPIV
+ - [s390*] zfcp: fix ELS/GS request&response length for hardware data router
+ - [s390*] zfcp: close window with unblocked rport during rport gone
+ - [s390*] zfcp: retain trace level for SCSI and HBA FSF response records
+ - [s390*] zfcp: restore: Dont use 0 to indicate invalid LUN in rec trace
+ - [s390*] zfcp: trace on request for open and close of WKA port
+ - [s390*] zfcp: restore tracing of handle for port and LUN with HBA records
+ - [s390*] zfcp: fix D_ID field with actual value on tracing SAN responses
+ - [s390*] zfcp: fix payload trace length for SAN request&response
+ - [s390*] zfcp: trace full payload of all SAN records (req,resp,iels)
+ - clk: divider: Fix clk_divider_round_rate() to use clk_readl()
+ - [x86] dumpstack: Fix x86_32 kernel_stack_pointer() previous stack access
+ - PCI: Mark Atheros AR9580 to avoid bus reset
+ - netfilter: restart search if moved to other chain
+ - uio: fix dmem_region_start computation
+ - platform: don't return 0 from platform_get_irq[_byname]() on error
+ - [arm64] debug: avoid resetting stepping state machine when TIF_SINGLESTEP
+ - ASoC: dapm: Fix value setting for _ENUM_DOUBLE MUX's second channel
+ - genirq/generic_chip: Add irq_unmap callback
+ - rtlwifi: Update regulatory database
+ - rtlwifi: Fix missing country code for Great Britain
+ - pwm: Unexport children before chip removal
+ - cx231xx: don't return error on success
+ - cx231xx: fix GPIOs for Pixelview SBTVD hybrid
+ - ext4: reinforce check of i_dtime when clearing high fields of uid and gid
+ - pstore/core: drop cmpxchg based updates
+ - pstore/ram: Use memcpy_toio instead of memcpy
+ - pstore/ram: Use memcpy_fromio() to save old buffer
+ - ipv4: accept u8 in IP_TOS ancillary data
+ - [armhf] phy: sun4i-usb: Use spinlock to guard phyctl register access
+ - dm: mark request_queue dead before destroying the DM device
+ - dm mpath: check if path's request_queue is dying in activate_path()
+ - ext4: bugfix for mmaped pages in mpage_release_unused_pages()
+ - [armhf] dts: exynos: Fix mismatched value for SD4 pull up/down
+ configuration on exynos4210
+ - reiserfs: Unlock superblock before calling reiserfs_quota_on_mount()
+ - sctp: do not return the transmit err back to sctp_sendmsg
+ - pkt_sched: fq: use proper locking in fq_dump_stats()
+ - [x86] iommu/amd: Free domain id when free a domain of struct
+ dma_ops_domain
+ - [powerpc*] nvram: Fix an incorrect partition merge
+ - ALSA: ali5451: Fix out-of-bound position reporting
+ - usb: misc: legousbtower: Fix NULL pointer deference
+ - net/mlx4_en: Fix wrong indentation
+ - net/mlx4_core: Fix deadlock when switching between polling and event fw
+ commands
+ - drm/radeon: narrow asic_init for virtualization
+ - [powerpc*] eeh: Null check uses of eeh_pe_bus_get
+ - ALSA: usb-audio: Extend DragonFly dB scale quirk to cover other variants
+ - netfilter: nft_exthdr: Add size check on u8 nft_exthdr attributes
+ - netfilter: nf_tables: validate maximum value of u32 netlink attributes
+ - svcrdma: Tail iovec leaves an orphaned DMA mapping
+ - blkcg: Annotate blkg_hint correctly
+ - ALSA: hda - Adding one more ALC255 pin definition for headset problem
+ - mmc: block: don't use CMD23 with very old MMC cards
+ - [powerpc*] KVM: Book3S: Treat VTB as a per-subcore register, not
+ per-thread
+ - [powerpc*] KVM: BookE: Fix a sanity check
+ - [powerpc*] KVM: Book3s PR: Allow access to unprivileged MMCR2 register
+ - NFSv4: Open state recovery must account for file permission changes
+ - Revert "usbtmc: convert to devm_kzalloc"
+ - drm/radeon/si/dpm: fix phase shedding setup
+ - [powerpc*/*64*] vdso64: Use double word compare on pointers
+ - ext4: release bh in make_indexed_dir
+ - [s390*] con3270: fix use of uninitialised data
+ - [s390*] con3270: fix insufficient space padding
+ - fuse: invalidate dir dentry after chmod
+ - fuse: fix killing s[ug]id in setattr
+ - fuse: listxattr: verify xattr list
+ - crypto: gcm - Fix IV buffer size in crypto_gcm_setkey
+ - staging: rtl8188eu: fix missing unlock on error in rtw_resume_process()
+ - staging: rtl8188eu: fix double unlock error in rtw_resume_process()
+ - UBI: fastmap: scrub PEB when bitflips are detected in a free PEB EC header
+ - ubi: Deal with interrupted erasures in WL
+ - ubi: Fix races around ubi_refill_pools()
+ - ubi: Fix Fastmap's update_vol()
+ - i40e: avoid NULL pointer dereference and recursive errors on early PCI
+ error
+ - [powerpc*] powernv: Use CPU-endian PEST in pnv_pci_dump_p7ioc_diag_data()
+ - mfd: rtsx_usb: Avoid setting ucr->current_sg.status
+ - async_pq_val: fix DMA memory leak
+ - mm: filemap: fix mapping->nrpages double accounting in fuse
+ - netlink: do not enter direct reclaim from netlink_dump()
+ - IB/srp: Fix infinite loop when FMR sg[0].offset != 0
+ - [x86] Input: elantech - add Fujitsu Lifebook E556 to force crc_enabled
+ - mm/hugetlb: fix memory offline with hugepage size > memory block size
+ - mm/hugetlb: check for reserved hugepages during memory offline
+ - vfs,mm: fix a dead loop in truncate_inode_pages_range()
+ - [powerpc*] pseries: Fix stack corruption in htpe code
+ - [powerpc*/*64*] Fix incorrect return value from __copy_tofrom_user
+ - [x86] panic: replace smp_send_stop() with kdump friendly version in panic
+ path
+ - [mips*] panic: replace smp_send_stop() with kdump friendly version in
+ panic path
+ - compiler: Allow 1- and 2-byte smp_load_acquire() and smp_store_release()
+ - ipc: remove use of seq_printf return value
+ - ipc/sem.c: fix complex_count vs. simple op race
+ - [mips*] ptrace: Fix regs_return_value for kernel context
+ - cifs: Display number of credits available
+ - cifs: Limit the overall credit acquired
+ - cifs: Set previous session id correctly on SMB3 reconnect
+ - cifs: SMB3: GUIDs should be constructed as random but valid uuids
+ - cifs: Clarify locking of cifs file and tcon structures and make more
+ granular
+ - cifs: Do not send SMB3 SET_INFO request if nothing is changing
+ - cifs: Cleanup missing frees on some ioctls
+ - fs/super.c: fix race between freeze_super() and thaw_super()
+ - scsi: Fix use-after-free
+ - mac80211: discard multicast and 4-addr A-MSDUs
+ - jbd2: fix incorrect unlock on j_list_lock
+ - drm/radeon: change vblank_time's calculation method to reduce
+ computational error.
+ - ipv6: correctly add local routes when lo goes up
+ - [s390*] scsi: zfcp: spin_lock_irqsave() is not nestable
+ - mmc: sdhci: cast unsigned int to unsigned long long to avoid unexpeted
+ error
+ - mmc: rtsx_usb_sdmmc: Avoid keeping the device runtime resumed when unused
+ - mmc: rtsx_usb_sdmmc: Handle runtime PM while changing the led
+ - memstick: rtsx_usb_ms: Runtime resume the device when polling for cards
+ - memstick: rtsx_usb_ms: Manage runtime PM when accessing the device
+ - [arm64] kernel: Init MDCR_EL2 even in the absence of a PMU
+ - netfilter: nf_tables: underflow in nft_parse_u32_check()
+ - ALSA: hda - allow 40 bit DMA mask for NVidia devices
+ - isofs: Do not return EACCES for unknown filesystems
+ - bridge: multicast: restore perm router ports on multicast enable
+ - hwrng: core - Don't use a stack buffer in add_early_randomness()
+ - [x86] Input: i8042 - add XMG C504 to keyboard reset table
+ - ubifs: Fix xattr_names length in exit paths
+ - ubifs: Abort readdir upon error
+ - target: Make EXTENDED_COPY 0xe4 failure return COPY TARGET DEVICE NOT
+ REACHABLE
+ - target: Don't override EXTENDED_COPY xcopy_pt_cmd SCSI status code
+ - [x86] xhci: add restart quirk for Intel Wildcatpoint PCH
+ - xhci: workaround for hosts missing CAS bit
+ - USB: serial: fix potential NULL-dereference at probe
+ - drm/radeon/si_dpm: Limit clocks on HD86xx part
+ - [arm64] KVM: Take S1 walks into account when determining S2 write faults
+ - [powerpc*] Convert cmp to cmpd in idle enter sequence
+ - ipv4: use the right lock for ping_group_range
+ - ACPI / APEI: Fix incorrect return value of ghes_proc()
+ - dm table: fix missing dm_put_target_type() in dm_table_add_target()
+ - [x86] mei: txe: don't clean an unprocessed interrupt cause.
+ - scsi: megaraid_sas: Fix data integrity failure for JBOD (passthrough)
+ devices
+ - [x86] hv: do not lose pending heartbeat vmbus packets
+ - ALSA: hda - Fix surround output pins for ASRock B150M mobo
+ - drm/radeon: drop register readback in cayman_cp_int_cntl_setup
+ - drm/radeon/si_dpm: workaround for SI kickers
+ - scsi: scsi_debug: Fix memory leak if LBP enabled and module is unloaded
+ - scsi: arcmsr: Send SYNCHRONIZE_CACHE command to firmware
+ - tty: vt, fix bogus division in csi_J
+ - tty: limit terminal size to 4M chars
+ - vt: clear selection before resizing
+ - netfilter: nf_conntrack_sip: extend request line validation
+ - netfilter: nf_tables: fix type mismatch with error return from
+ nft_parse_u32_check
+ - btrfs: fix races on root_log_ctx lists
+ - lib/genalloc.c: start search from start of chunk
+ - [s390*] hypfs: Use get_free_page() instead of kmalloc to ensure page
+ alignment
+ - [x86] KVM: fix wbinvd_dirty_mask use-after-free
+ - GenWQE: Fix bad page access during abort of resource allocation
+ - ubifs: Fix regression in ubifs_readdir()
+ - md: be careful not lot leak internal curr_resync value into metadata.
+ - net/mlx5: Avoid passing dma address 0 to firmware
+ - packet: on direct_xmit, limit tso and csum to supported devices
+ - net/mlx4_core: Fix the resource-type enum in res tracker to conform to FW
+ spec
+ - net/mlx4_en: Resolve dividing by zero in 32-bit system
+ - net/mlx4_en: Process all completions in RX rings after port goes up
+ - net/mlx4_en: Fix potential deadlock in port statistics flow
+ - [x86] iommu/vt-d: Fix IOMMU lookup for SR-IOV Virtual Functions
+ - virtio: console: Unlock vqs while freeing buffers
+ - netfilter: nf_tables: destroy the set if fail to add transaction
+ - [x86] mei: bus: fix received data size check in NFC fixup
+ - ipv6: Don't use ufo handling on later transformed packets
+ - can: bcm: fix warning in bcm_connect/proc_register
+ - bgmac: stop clearing DMA receive control register right after it is set
+ - uwb: fix device reference leaks
+ - [armel,armhf] gpio/mvebu: Use irq_domain_add_linear
+ - PM / sleep: fix device reference leak in test_suspend
+ - ip6_tunnel: Clear IP6CB in ip6tunnel_xmit()
+ - firewire: net: fix fragmented datagram_size off-by-one
+ - ipv4: allow local fragmentation in ip_finish_output_gso()
+ - i2c: core: fix NULL pointer dereference under race condition
+ - iio: hid-sensors: Fix compilation warning
+ - iio: hid-sensors: Increase the precision of scale to fix wrong reading
+ interpretation.
+ - [armhf] net: ethernet: ti: cpsw: fix device and of_node leaks
+ - scsi: megaraid_sas: fix macro MEGASAS_IS_LOGICAL to avoid regression
+ - rtnl: reset calcit fptr in rtnl_unregister()
+ - USB: cdc-acm: fix TIOCMIWAIT
+ - PM / sleep: don't suspend parent when async child suspend_{noirq, late}
+ fails
+ - [x86] ALSA: hda - Fix mic regression by ASRock mobo fixup
+ - swapfile: fix memory corruption via malformed swapfile
+ - coredump: fix unfreezable coredumping task
+ - dib0700: fix nec repeat handling
+ - scsi: mpt3sas: Fix secure erase premature termination
+ - neigh: check error pointer instead of NULL for ipv4_neigh_lookup()
+ - ipv4: use new_gw for redirect neigh lookup
+ - fuse: fix fuse_write_end() if zero bytes were copied
+ - [armhf] usb: chipidea: move the lock initialization to core file
+ - rtnetlink: fix rtnl_vfinfo_size
+ - mfd: core: Fix device reference leak in mfd_clone_cell
+ - nvme/pci: Don't free queues on error
+ - IB/uverbs: Fix leak of XRC target QPs
+ - IB/cm: Mark stale CM id's whenever the mad agent was unregistered
+ - IB/core: Avoid unsigned int overflow in sg_alloc_table
+ - IB/mlx5: Use cache line size to select CQE stride
+ - IB/mlx5: Resolve soft lock on massive reg MRs
+ - IB/mlx5: Fix NULL pointer dereference on debug print
+ - IB/mlx4: Fix create CQ error flow
+ - mwifiex: printk() overflow with 32-byte SSIDs
+ - of_mdio: fix node leak in of_phy_register_fixed_link error path
+ - cfg80211: limit scan results cache size
+ - [armhf] net: ethernet: ti: cpsw: fix bad register access in probe error
+ path
+ - [armhf] net: ethernet: ti: cpsw: fix mdio device reference leak
+ - [armhf] net: ethernet: ti: cpsw: fix secondary-emac probe error path
+ - KVM: Disable irq while unregistering user notifier
+ - [x86] KVM: fix missed SRCU usage in kvm_lapic_set_vapic_addr
+ - ext4: sanity check the block and cluster size at mount time
+ - l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind()
+ (CVE-2016-10200)
+ - apparmor: fix change_hat not finding hat after policy replacement
+ - [x86] traps: Ignore high word of regs->cs in early_fixup_exception()
+ - xc2028: Fix use-after-free bug properly
+ - [armhf] net: ethernet: mvneta: Remove IFF_UNICAST_FLT which is not
+ implemented
+ - net/mlx4: Fix uninitialized fields in rule when adding promiscuous mode
+ to device managed flow steering
+ - pwm: Fix device reference leak
+ - netfilter: arp_tables: fix invoking 32bit "iptable -P INPUT ACCEPT"
+ failed in 64bit kernel
+ - [powerpc*] eeh: Fix deadlock when PE frozen state can't be cleared
+ - batman-adv: Check for alloc errors when preparing TT local data
+ - locking/rtmutex: Prevent dequeue vs. unlock race
+ - ipv4: Set skb->protocol properly for local output
+ - ipv6: Set skb->protocol properly for local output
+ - tipc: check minimum bearer MTU
+ - [x86] perf: Fix full width counter, counter overflow
+ - fuse: fix clearing suid, sgid for chown()
+ - can: raw: raw_setsockopt: limit number of can_filter that can be set
+ - can: peak: fix bad memory access and free sequence
+ - ser_gigaset: return -ENOMEM on error instead of success
+ - vfs,mm: fix return value of read() at s_maxbytes
+ https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.41
+ - mnt: Add a per mount namespace limit on the number of mounts
+ (CVE-2016-6213)
+ - ext4: validate s_first_meta_bg at mount time (CVE-2016-10208)
+ https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.42
+ - net/sched: em_meta: Fix 'meta vlan' to correctly recognize zero VID frames
+ - ite-cir: initialize use_demodulator before using it
+ - usb: gadget: composite: correctly initialize ep->maxpacket
+ - usb: gadget: composite: always set ep->mult to a sensible value
+ - [armhf] usb: dwc3: gadget: set PCM1 field of isochronous-first TRBs
+ - [amd64] drm/gma500: Add compat ioctl
+ - enic: set skb->hash type properly
+ - xfs: fix up xfs_swap_extent_forks inline extent handling
+ - scsi: megaraid_sas: For SRIOV enabled firmware, ensure VF driver waits
+ for 30secs before reset
+ - PCI: Check for PME in targeted sleep state
+ - USB: UHCI: report non-PME wakeup signalling for Intel hardware
+ - [armhf] dts: imx6q-cm-fx6: fix fec pinctrl
+ - [powerpc] ibmebus: Fix device reference leaks in sysfs interface
+ - [powerpc] ibmebus: Fix further device reference leaks
+ - [powerpc*] pci/rpadlpar: Fix device reference leaks
+ - usb: xhci-mem: use passed in GFP flags instead of GFP_KERNEL
+ - dm rq: fix a race condition in rq_completed()
+ - ext4: fix mballoc breakage with 64k block size
+ - ext4: fix stack memory corruption with 64k block size
+ - IB/core: Save QP in ib_flow structure
+ - IB/mlx5: Put non zero value in max_ah
+ - IB/mlx5: Wait for all async command completions to complete
+ - IB/IPoIB: Remove can't use GFP_NOIO warning
+ - IB/mlx4: Set traffic class in AH
+ - IB/mlx4: Put non zero value in max_ah device attribute
+ - IB/mlx4: Fix port query for 56Gb Ethernet links
+ - scsi: mvsas: fix command_active typo
+ - ssb: Fix error routine when fallback SPROM fails
+ - usb: hub: Fix auto-remount of safely removed or ejected USB-3 devices
+ - [armhf] USB: phy: am335x-control: fix device and of_node leaks
+ - ext4: fix in-superblock mount options processing
+ - ext4: use more strict checks for inodes_per_block on mount
+ - ext4: add sanity checking to count_overhead()
+ - [powerpc*] KVM: Book3S HV: Save/restore XER in checkpointed register state
+ - dm crypt: mark key as invalid until properly loaded
+ - f2fs: set ->owner for debugfs status file's file_operations
+ - xen/gntdev: Use VM_MIXEDMAP instead of VM_IO to avoid NUMA balancing
+ - ALSA: usb-audio: Fix bogus error return in snd_usb_create_stream()
+ - md/raid5: limit request size according to implementation limits
+ - thermal: hwmon: Properly report critical temperature in sysfs
+ - USB: serial: kl5kusb105: fix open error path
+ - USB: serial: kl5kusb105: abort on open exception path
+ - [powerpc] ps3: Fix system hang with GCC 5 builds
+ - Btrfs: fix tree search logic when replaying directory entry deletes
+ - [armhf,arm64] bus: vexpress-config: fix device reference leak
+ - block: protect iterate_bdevs() against concurrent close
+ - NFS: Fix a performance regression in readdir
+ - xfs: set AGI buffer type in xlog_recover_clear_agi_bucket
+ - mmc: sdhci: Fix recovery from tuning timeout
+ - CIFS: Fix missing nls unload in smb2_reconnect()
+ - CIFS: Fix a possible memory corruption in push locks
+ - CIFS: Fix a possible memory corruption during reconnect
+ - [x86] ALSA: hda - Add inverted internal mic for Asus Aspire 4830T
+ - [x86] ALSA: hda - Add the top speaker pin config for HP Spectre x360
+ - [x86] ALSA: hda - Gate the mic jack on HP Z1 Gen3 AiO
+ - drm/radeon: Hide the HW cursor while it's out of bounds
+ - drm/radeon: Use mode h/vdisplay fields to hide out of bounds HW cursor
+ - drm/radeon: add additional pci revision to dpm workaround
+ - [armhf] xen: Use alloc_percpu rather than __alloc_percpu
+ - clk: clk-wm831x: fix a logic error
+ - hotplug: Make register and unregister notifier API symmetric
+ - iw_cxgb4: Fix error return code in c4iw_rdev_open()
+ - dm space map metadata: fix 'struct sm_metadata' leak on failed create
+ - md: MD_RECOVERY_NEEDED is set for mddev->recovery
+ - cfg80211/mac80211: fix BSS leaks when abandoning assoc attempts
+ - hwmon: (ds620) Fix overflows seen when writing temperature limits
+ - [i386] ftrace: Set ftrace_stub to weak to prevent gcc from using short
+ jumps to it
+ - fgraph: Handle a case where a tracer ignores set_graph_notrace
+ - nfs_write_end(): fix handling of short copies
+ - ext4: reject inodes with negative size
+ - ext4: return -ENOMEM instead of success
+ - [s390*] vmlogrdr: fix IUCV buffer allocation
+ - [armhf] hwmon: (g762) Fix overflows and crash seen when writing limit
+ attributes
+ - ALSA: hiface: Fix M2Tech hiFace driver sampling rate change
+ - libceph: verify authorize reply on connect
+ - fs/notify/inode_mark.c: use list_next_entry in fsnotify_unmount_inodes
+ - fsnotify: Fix possible use-after-free in inode iteration on umount
+ - IB/mlx4: When no DMFS for IPoIB, don't allow NET_IF QPs
+ - IB/mlx4: Fix out-of-range array index in destroy qp flow
+ - Btrfs: delayed-inode: replace root args iff only fs_info used
+ - btrfs: limit async_work allocation and worker func duration
+ - block_dev: don't test bdev->bd_contains when it is not stable
+ - IB/mad: Fix an array index check
+ - IPoIB: Avoid reading an uninitialized member variable
+ - IB/multicast: Check ib_find_pkey() return value
+ - [s390x] scsi: zfcp: fix use-after-"free" in FC ingress path after TMF
+ - [s390x] scsi: zfcp: do not trace pure benign residual HBA responses at
+ default level
+ - [s390x] scsi: zfcp: fix rport unblock race with LUN recovery
+ - scsi: avoid a permanent stop of the scsi device's request queue
+ - target/iscsi: Fix double free in lio_target_tiqn_addtpg()
+ - [x86] drivers/gpu/drm/ast: Fix infinite loop if read fails
+ - NFSv4.1: nfs4_fl_prepare_ds must be careful about reporting success.
+ - [x86] drm/i915/dsi: Do not clear DPOUNIT_CLOCK_GATE_DISABLE from
+ vlv_init_display_clock_gating
+ - fs: exec: apply CLOEXEC before changing dumpable task flags
+ - [x86] Input: i8042 - add Pegatron touchpad to noloop table
+ - net, sched: fix soft lockup in tc_classify
+ - [armhf] net: stmmac: Fix race between stmmac_drv_probe and stmmac_open
+ - [armhf net: stmmac: Fix error path after register_netdev move
+ - net/mlx4_core: Use-after-free causes a resource leak in flow-steering
+ detach
+ - net/mlx4_en: Fix bad WQE issue
+ - net/mlx4: Remove BUG_ON from ICM allocation routine
+ - [armhf] usb: dwc3: ep0: add dwc3_ep0_prepare_one_trb()
+ - [armhf] usb: dwc3: ep0: explicitly call dwc3_ep0_prepare_one_trb()
+ - [armhf] usb: dwc3: gadget: always unmap EP0 requests
+ - [armhf] usb: gadget: composite: Test get_alt() presence instead of
+ set_alt()
+ - [armhf] usb: gadgetfs: restrict upper bound on device configuration size
+ - [armhf] USB: gadgetfs: fix unbounded memory allocation bug
+ - [armhf] USB: gadgetfs: fix use-after-free bug
+ - [armhf] USB: gadgetfs: fix checks of wTotalLength in config descriptors
+ - btrfs: fix error handling when run_delayed_extent_op fails
+ - btrfs: fix locking when we put back a delayed ref that's too new
+ - xhci: free xhci virtual devices with leaf nodes first
+ - usb: xhci: fix possible wild pointer
+ - usb: host: xhci: Fix possible wild pointer when handling abort command
+ - xhci: Handle command completion and timeout race
+ - usb: xhci: hold lock over xhci_abort_cmd_ring()
+ - USB: serial: cyberjack: fix NULL-deref at open
+ - USB: serial: garmin_gps: fix memory leak on failed URB submit
+ - USB: serial: io_edgeport: fix NULL-deref at open
+ - USB: serial: io_ti: fix NULL-deref at open
+ - USB: serial: io_ti: fix another NULL-deref at open
+ - USB: serial: iuu_phoenix: fix NULL-deref at open
+ - USB: serial: keyspan_pda: verify endpoints at probe
+ - USB: serial: kobil_sct: fix NULL-deref in write
+ - USB: serial: mos7720: fix NULL-deref at open
+ - USB: serial: mos7720: fix use-after-free on probe errors
+ - USB: serial: mos7720: fix parport use-after-free on probe errors
+ - USB: serial: mos7720: fix parallel probe
+ - USB: serial: mos7840: fix NULL-deref at open
+ - USB: serial: mos7840: fix misleading interrupt-URB comment
+ - USB: serial: omninet: fix NULL-derefs at open and disconnect
+ - USB: serial: oti6858: fix NULL-deref at open
+ - USB: serial: pl2303: fix NULL-deref at open
+ - USB: serial: quatech2: fix sleep-while-atomic in close
+ - USB: serial: spcp8x5: fix NULL-deref at open
+ - USB: serial: ti_usb_3410_5052: fix NULL-deref at open
+ - [x86] iommu/amd: Fix the left value check of cmd buffer
+ - [x86] mei: move write cb to completion on credentials failures
+ - ALSA: hda - Apply asus-mode8 fixup to ASUS X71SL
+ - [x86] cpu: Fix bootup crashes by sanitizing the argument of the
+ 'clearcpuid=' command-line option
+ - [armhf] usb: musb: Fix trying to free already-free IRQ 4
+ - usb: hub: Move hub_port_disable() to fix warning if PM is disabled
+ - USB: fix problems with duplicate endpoint addresses
+ - selftests: do not require bash to run netsocktests testcase
+ - HID: hid-cypress: validate length of report (CVE-2017-7273)
+ - ata: sata_mv:- Handle return value of devm_ioremap.
+ - drm/radeon: drop verde dpm quirks
+ - [x86] boot: Add missing declaration of string functions
+ - USB: ch341: remove redundant close from open error path
+ - USB: ch341: set tty baud speed according to tty struct
+ - USB: serial: ch341: add register and USB request definitions
+ - USB: serial: ch341: reinitialize chip on reconfiguration
+ - USB: serial: ch341: fix initial modem-control state
+ - USB: serial: ch341: fix open and resume after B0
+ - USB: serial: ch341: fix modem-control and B0 handling
+ - USB: serial: ch341: fix open error handling
+ - USB: serial: ch341: fix resume after reset
+ - USB: serial: ch341: fix baud rate and line-control handling
+ - gro: Enter slow-path if there is no tailroom
+ - gro: Disable frag0 optimization on IPv6 ext headers
+ - ocfs2: fix crash caused by stale lvb with fsdlm plugin
+ - mm/hugetlb.c: fix reservation race when freeing surplus pages
+ - sysrq: attach sysrq handler correctly for 32-bit kernel
+ - USB: serial: ch341: fix control-message error handling
+ - gro: use min_t() in skb_gro_reset_offset()
+ - [x86] PCI: Ignore _CRS on Supermicro X8DTH-i/6/iF/6F
+ - xhci: fix deadlock at host remove by running watchdog correctly
+ - [x86] KVM: flush pending lapic jump label updates on module unload
+ - i2c: fix kernel memory disclosure in dev interface
+ - svcrpc: don't leak contexts on PROC_DESTROY
+ - netfilter: rpfilter: fix incorrect loopback packet judgment
+ - be2net: fix status check in be_cmd_pmac_add()
+ - net/mlx4_core: Fix racy CQ (Completion Queue) free
+ - net/mlx4_core: Fix when to save some qp context flags for dynamic VST to
+ VGT transitions
+ - net/mlx4_core: Eliminate warning messages for SRQ_LIMIT under SRIOV
+ - clocksource/exynos_mct: Clear interrupt when cpu is shut down
+ - ubifs: Fix journal replay wrt. xattr nodes
+ - qla2xxx: Fix crash due to null pointer access
+ - can: c_can_pci: fix null-pointer-deref in c_can_start() - set device
+ pointer
+ - ceph: fix bad endianness handling in parse_reply_info_extra
+ - [arm64] ptrace: Preserve previous registers for short regset write
+ - [arm64] ptrace: Avoid uninitialised struct padding in fpr_set()
+ - [arm64] ptrace: Reject attempts to set incomplete hardware breakpoint
+ fields
+ - net: fix harmonize_features() vs NETIF_F_HIGHDMA
+ - [arm64] avoid returning from bad_mode
+ - tcp: initialize max window for a new fastopen socket
+ - nbd: fix use-after-free of rq/bio in the xmit path
+ - nbd: only set MSG_MORE when we have more to send
+ - [powerpc*] ptrace: Preserve previous fprs/vsrs on short regset write
+ - [powerpc*] Ignore reserved field in DCSR and PVR reads and writes
+ - [x86] platform: intel_mid_powerbtn: Set IRQ_ONESHOT
+ - crypto: api - Clear CRYPTO_ALG_DEAD bit before registering an alg
+ - [arm64] crypto: aes-blk - honour iv_out requirement in CBC and CTR modes
+ - [powerpc*] Add missing error check to prom_find_boot_cpu()
+ - nfs: Don't increment lock sequence ID after NFS4ERR_MOVED
+ - ip6_tunnel: must reload ipv6h in ip6ip6_tnl_xmit()
+ - SUNRPC: cleanup ida information when removing sunrpc module
+ - netfilter: nft_log: restrict the log prefix length to 127
+ - mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp
+ - [x86] drm/i915: Don't leak edid in intel_crt_detect_ddc()
+ - sysctl: fix proc_doulongvec_ms_jiffies_minmax()
+ - nfs: Fix "Don't increment lock sequence ID after NFS4ERR_MOVED"
+ - can: bcm: fix hrtimer/tasklet termination in bcm op removal
+ - perf/core: Fix PERF_RECORD_MMAP2 prot/flags for anonymous memory
+ - [armel,armhf] 8643/3: ptrace: Preserve previous registers for short
+ regset write
+ - drm/nouveau/nv1a,nv1f/disp: fix memory clock rate retrieval
+ - mmc: sdhci: Ignore unexpected CARD_INT interrupts
+ - svcrpc: fix oops in absence of krb5 module
+ - net: use a work queue to defer net_disable_timestamp() work
+ - mm, fs: check for fatal signals in do_generic_file_read()
+ - netlabel: out of bound access in cipso_v4_validate()
+ - mac80211: Fix adding of mesh vendor IEs
+ - ALSA: seq: Don't handle loop timeout at snd_seq_pool_done()
+ - [x86] drm/i915: fix use-after-free in page_flip_completed()
+ - ALSA: seq: Fix race at creating a queue
+ - target: Use correct SCSI status during EXTENDED_COPY exception
+ - target: Fix early transport_generic_handle_tmr abort scenario
+ - target: Fix COMPARE_AND_WRITE ref leak for non GOOD status
+ - btrfs: fix btrfs_compat_ioctl failures on non-compat ioctls
+ - ping: fix a null pointer dereference
+ - [s390x] scsi: zfcp: fix use-after-free by not tracing WKA port open/close
+ on failed send
+ - xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend()
+ - l2tp: do not use udp_ioctl()
+ - futex: Move futex_init() to core_initcall
+ - mmc: core: fix multi-bit bus width without high-speed mode
+ - vfs: fix uninitialized flags in splice_to_pipe()
+ - packet: call fanout_release, while UNREGISTERING a netdev
+ - packet: Do not call fanout_release from atomic contexts
+ - printk: use rcuidle console tracepoint
+ - sg: Fix missing sanity check in /dev/sg
+ - sched/cputime: Fix invalid gtime in proc
+ - decnet: Do not build routes to devices without decnet private data.
+ - route: do not cache fib route info on local routes with oif
+ - sch_htb: update backlog as well
+ - sch_dsmark: update backlog as well
+ - netem: Segment GSO packets on enqueue
+ - [x86] VSOCK: do not disconnect socket when peer has shutdown SEND only
+ - net: bridge: fix old ioctl unlocked net device walk
+ - udp: prevent skbs lingering in tunnel socket queues
+ - ipv6: Skip XFRM lookup if dst_entry in socket cache is valid
+ - sit: correct IP protocol used in ipip6_err
+ - ipmr/ip6mr: Initialize the last assert time of mfc entries.
+ - net: alx: Work around the DMA RX overflow issue
+ - cdc_ncm: workaround for EM7455 "silent" data interface
+ - bonding: set carrier off for devices created through netlink
+ - net: fix sk_mem_reclaim_partial()
+ - tcp: fix overflow in __tcp_retransmit_skb()
+ - net: avoid sk_forward_alloc overflows
+ - tcp: fix wrong checksum calculation on MTU probing
+ - net: Add netdev all_adj_list refcnt propagation to fix panic
+ - net: sctp, forbid negative length
+ - net: clear sk_err_soft in sk_clone_lock()
+ - net: mangle zero checksum in skb_checksum_help()
+ - dccp: do not send reset to already closed sockets
+ - dccp: fix out of bound access in dccp_v4_err()
+ - ipv6: dccp: fix out of bound access in dccp_v6_err()
+ - ipv6: dccp: add missing bind_conflict to dccp_ipv6_mapped
+ - sctp: assign assoc_id earlier in __sctp_connect
+ - sock: fix sendmmsg for partial sendmsg
+ - ip6_tunnel: disable caching when the traffic class is inherited
+ - net: sky2: Fix shutdown crash
+ - net/sched: pedit: make sure that offset is valid
+ - net/dccp: fix use-after-free in dccp_invalid_packet
+ - [x86] netvsc: reduce maximum GSO size
+ - ipv6: handle -EFAULT from skb_copy_bits
+ - drop_monitor: add missing call to genlmsg_end
+ - drop_monitor: consider inserted data in genlmsg_end
+ - igmp: Make igmp group member RFC 3376 compliant
+ - r8152: fix the sw rx checksum is unavailable
+ - tcp: fix tcp_fastopen unaligned access complaints on sparc
+ - ipv6: addrconf: Avoid addrconf_disable_change() using RCU read-side lock
+ - net: socket: fix recvmmsg not returning error from sock_error
+ - can: Fix kernel panic at security_sock_rcv_skb
+ - ipv6: fix ip6_tnl_parse_tlv_enc_lim()
+ - ipv6: pointer math error in ip6_tnl_parse_tlv_enc_lim()
+ - tcp: fix 0 divide in __tcp_select_window()
+ - tun: Fix TUN_PKT_STRIP setting
+ - tun: read vnet_hdr_sz once
+ - macvtap: read vnet_hdr_size once
+ - mlx4: Invoke softirqs after napi_reschedule
+ - sit: fix a double free on error path
+ - igmp: do not remove igmp souce list info when set link down
+ - mld: do not remove mld souce list info when set link down
+ - igmp, mld: Fix memory leak in igmpv3/mld_del_delrec()
+ - [x86] Revert "KVM: x86: expose MSR_TSC_AUX to userspace"
+ (regression in 3.16.7-ckt24)
[ Ben Hutchings ]
* locking/mutex: Don't assume TASK_RUNNING (Closes: #841171)
+ * can, tcp: Ignore ABI changes
+ * [arm64] ptrace: Avoid ABI change in 3.16.42
+ * [x86] Revert "x86/panic: replace smp_send_stop() with kdump friendly
+ version in panic path" to avoid ABI change
+ * net: Avoid ABI change for "net: fix sk_mem_reclaim_partial()"
+ * vfs: Avoid ABI change for "mnt: Add a per mount namespace limit ..."
+ * mmc: Avoid ABI change for "mmc: core: Annotate cmd_hdr as __le32"
[ Salvatore Bonaccorso ]
* sunrpc: fix refcounting problems with auth_gss messages.
diff --git a/debian/config/defines b/debian/config/defines
index b46fa04..8ae9c33 100644
--- a/debian/config/defines
+++ b/debian/config/defines
@@ -3,6 +3,7 @@ abiname: 4
ignore-changes:
# Should not be used from OOT
module:arch/x86/kvm/kvm
+ module:arch/powerpc/kvm/kvm
module:drivers/md/dm-snapshot
module:drivers/misc/mei/*
module:drivers/mtd/spi-nor/spi-nor
@@ -23,8 +24,13 @@ ignore-changes:
azx_get_response
azx_init_cmd_io
azx_send_cmd
+ can_rx_register
cpuidle_*
+ kvmppc_*
musb_*
+ tcp_make_synack
+ tcp_parse_options
+ tcp_try_fastopen
# Apparently not used OOT
__add_pages
__remove_pages
diff --git a/debian/patches/bugfix/all/TTY-n_hdlc-fix-lockdep-false-positive.patch b/debian/patches/bugfix/all/TTY-n_hdlc-fix-lockdep-false-positive.patch
deleted file mode 100644
index 9a26038..0000000
--- a/debian/patches/bugfix/all/TTY-n_hdlc-fix-lockdep-false-positive.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-From: Jiri Slaby <jslaby at suse.cz>
-Date: Thu, 26 Nov 2015 19:28:26 +0100
-Subject: TTY: n_hdlc, fix lockdep false positive
-Origin: https://git.kernel.org/linus/e9b736d88af1a143530565929390cadf036dc799
-
-The class of 4 n_hdls buf locks is the same because a single function
-n_hdlc_buf_list_init is used to init all the locks. But since
-flush_tx_queue takes n_hdlc->tx_buf_list.spinlock and then calls
-n_hdlc_buf_put which takes n_hdlc->tx_free_buf_list.spinlock, lockdep
-emits a warning:
-=============================================
-[ INFO: possible recursive locking detected ]
-4.3.0-25.g91e30a7-default #1 Not tainted
----------------------------------------------
-a.out/1248 is trying to acquire lock:
- (&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fd020>] n_hdlc_buf_put+0x20/0x60 [n_hdlc]
-
-but task is already holding lock:
- (&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fdc07>] n_hdlc_tty_ioctl+0x127/0x1d0 [n_hdlc]
-
-other info that might help us debug this:
- Possible unsafe locking scenario:
-
- CPU0
- ----
- lock(&(&list->spinlock)->rlock);
- lock(&(&list->spinlock)->rlock);
-
- *** DEADLOCK ***
-
- May be due to missing lock nesting notation
-
-2 locks held by a.out/1248:
- #0: (&tty->ldisc_sem){++++++}, at: [<ffffffff814c9eb0>] tty_ldisc_ref_wait+0x20/0x50
- #1: (&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fdc07>] n_hdlc_tty_ioctl+0x127/0x1d0 [n_hdlc]
-...
-Call Trace:
-...
- [<ffffffff81738fd0>] _raw_spin_lock_irqsave+0x50/0x70
- [<ffffffffa01fd020>] n_hdlc_buf_put+0x20/0x60 [n_hdlc]
- [<ffffffffa01fdc24>] n_hdlc_tty_ioctl+0x144/0x1d0 [n_hdlc]
- [<ffffffff814c25c1>] tty_ioctl+0x3f1/0xe40
-...
-
-Fix it by initializing the spin_locks separately. This removes also
-reduntand memset of a freshly kzallocated space.
-
-Signed-off-by: Jiri Slaby <jslaby at suse.cz>
-Reported-by: Dmitry Vyukov <dvyukov at google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
----
- drivers/tty/n_hdlc.c | 19 ++++---------------
- 1 file changed, 4 insertions(+), 15 deletions(-)
-
-diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
-index bbc4ce6..bcaba17 100644
---- a/drivers/tty/n_hdlc.c
-+++ b/drivers/tty/n_hdlc.c
-@@ -159,7 +159,6 @@ struct n_hdlc {
- /*
- * HDLC buffer list manipulation functions
- */
--static void n_hdlc_buf_list_init(struct n_hdlc_buf_list *list);
- static void n_hdlc_buf_put(struct n_hdlc_buf_list *list,
- struct n_hdlc_buf *buf);
- static struct n_hdlc_buf *n_hdlc_buf_get(struct n_hdlc_buf_list *list);
-@@ -853,10 +852,10 @@ static struct n_hdlc *n_hdlc_alloc(void)
- if (!n_hdlc)
- return NULL;
-
-- n_hdlc_buf_list_init(&n_hdlc->rx_free_buf_list);
-- n_hdlc_buf_list_init(&n_hdlc->tx_free_buf_list);
-- n_hdlc_buf_list_init(&n_hdlc->rx_buf_list);
-- n_hdlc_buf_list_init(&n_hdlc->tx_buf_list);
-+ spin_lock_init(&n_hdlc->rx_free_buf_list.spinlock);
-+ spin_lock_init(&n_hdlc->tx_free_buf_list.spinlock);
-+ spin_lock_init(&n_hdlc->rx_buf_list.spinlock);
-+ spin_lock_init(&n_hdlc->tx_buf_list.spinlock);
-
- /* allocate free rx buffer list */
- for(i=0;i<DEFAULT_RX_BUF_COUNT;i++) {
-@@ -885,16 +884,6 @@ static struct n_hdlc *n_hdlc_alloc(void)
- } /* end of n_hdlc_alloc() */
-
- /**
-- * n_hdlc_buf_list_init - initialize specified HDLC buffer list
-- * @list - pointer to buffer list
-- */
--static void n_hdlc_buf_list_init(struct n_hdlc_buf_list *list)
--{
-- memset(list, 0, sizeof(*list));
-- spin_lock_init(&list->spinlock);
--} /* end of n_hdlc_buf_list_init() */
--
--/**
- * n_hdlc_buf_put - add specified HDLC buffer to tail of specified list
- * @list - pointer to buffer list
- * @buf - pointer to buffer
---
-2.1.4
-
diff --git a/debian/patches/bugfix/all/alsa-pcm-call-kill_fasync-in-stream-lock.patch b/debian/patches/bugfix/all/alsa-pcm-call-kill_fasync-in-stream-lock.patch
deleted file mode 100644
index f5421b8..0000000
--- a/debian/patches/bugfix/all/alsa-pcm-call-kill_fasync-in-stream-lock.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From: Takashi Iwai <tiwai at suse.de>
-Date: Thu, 14 Apr 2016 18:02:37 +0200
-Subject: ALSA: pcm : Call kill_fasync() in stream lock
-Origin: https://git.kernel.org/linus/3aa02cb664c5fb1042958c8d1aa8c35055a2ebc4
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-9794
-
-Currently kill_fasync() is called outside the stream lock in
-snd_pcm_period_elapsed(). This is potentially racy, since the stream
-may get released even during the irq handler is running. Although
-snd_pcm_release_substream() calls snd_pcm_drop(), this doesn't
-guarantee that the irq handler finishes, thus the kill_fasync() call
-outside the stream spin lock may be invoked after the substream is
-detached, as recently reported by KASAN.
-
-As a quick workaround, move kill_fasync() call inside the stream
-lock. The fasync is rarely used interface, so this shouldn't have a
-big impact from the performance POV.
-
-Ideally, we should implement some sync mechanism for the proper finish
-of stream and irq handler. But this oneliner should suffice for most
-cases, so far.
-
-Reported-by: Baozeng Ding <sploving1 at gmail.com>
-Signed-off-by: Takashi Iwai <tiwai at suse.de>
-[bwh: Backported to 3.16: adjust context]
----
- sound/core/pcm_lib.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/sound/core/pcm_lib.c
-+++ b/sound/core/pcm_lib.c
-@@ -1856,10 +1856,10 @@ void snd_pcm_period_elapsed(struct snd_p
- if (substream->timer_running)
- snd_timer_interrupt(substream->timer, 1);
- _end:
-- snd_pcm_stream_unlock_irqrestore(substream, flags);
- if (runtime->transfer_ack_end)
- runtime->transfer_ack_end(substream);
- kill_fasync(&runtime->fasync, SIGIO, POLL_IN);
-+ snd_pcm_stream_unlock_irqrestore(substream, flags);
- }
-
- EXPORT_SYMBOL(snd_pcm_period_elapsed);
diff --git a/debian/patches/bugfix/all/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch b/debian/patches/bugfix/all/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch
deleted file mode 100644
index 4421444..0000000
--- a/debian/patches/bugfix/all/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From: Andrey Konovalov <andreyknvl at google.com>
-Date: Thu, 16 Feb 2017 17:22:46 +0100
-Subject: dccp: fix freeing skb too early for IPV6_RECVPKTINFO
-Origin: https://git.kernel.org/linus/5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4
-
-In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet
-is forcibly freed via __kfree_skb in dccp_rcv_state_process if
-dccp_v6_conn_request successfully returns.
-
-However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb
-is saved to ireq->pktopts and the ref count for skb is incremented in
-dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed
-in dccp_rcv_state_process.
-
-Fix by calling consume_skb instead of doing goto discard and therefore
-calling __kfree_skb.
-
-Similar fixes for TCP:
-
-fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed.
-0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now
-simply consumed
-
-Signed-off-by: Andrey Konovalov <andreyknvl at google.com>
-Acked-by: Eric Dumazet <edumazet at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/dccp/input.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/net/dccp/input.c b/net/dccp/input.c
-index ba34718..8fedc2d 100644
---- a/net/dccp/input.c
-+++ b/net/dccp/input.c
-@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
- if (inet_csk(sk)->icsk_af_ops->conn_request(sk,
- skb) < 0)
- return 1;
-- goto discard;
-+ consume_skb(skb);
-+ return 0;
- }
- if (dh->dccph_type == DCCP_PKT_RESET)
- goto discard;
---
-2.1.4
-
diff --git a/debian/patches/bugfix/all/dccp-limit-sk_filter-trim-to-payload.patch b/debian/patches/bugfix/all/dccp-limit-sk_filter-trim-to-payload.patch
deleted file mode 100644
index ab579ee..0000000
--- a/debian/patches/bugfix/all/dccp-limit-sk_filter-trim-to-payload.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From: Willem de Bruijn <willemb at google.com>
-Date: Tue, 12 Jul 2016 18:18:57 -0400
-Subject: dccp: limit sk_filter trim to payload
-Origin: https://git.kernel.org/linus/4f0c40d94461cfd23893a17335b2ab78ecb333c8
-
-Dccp verifies packet integrity, including length, at initial rcv in
-dccp_invalid_packet, later pulls headers in dccp_enqueue_skb.
-
-A call to sk_filter in-between can cause __skb_pull to wrap skb->len.
-skb_copy_datagram_msg interprets this as a negative value, so
-(correctly) fails with EFAULT. The negative length is reported in
-ioctl SIOCINQ or possibly in a DCCP_WARN in dccp_close.
-
-Introduce an sk_receive_skb variant that caps how small a filter
-program can trim packets, and call this in dccp with the header
-length. Excessively trimmed packets are now processed normally and
-queued for reception as 0B payloads.
-
-Fixes: 7c657876b63c ("[DCCP]: Initial implementation")
-Signed-off-by: Willem de Bruijn <willemb at google.com>
-Acked-by: Daniel Borkmann <daniel at iogearbox.net>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- include/net/sock.h | 8 +++++++-
- net/core/sock.c | 7 ++++---
- net/dccp/ipv4.c | 2 +-
- net/dccp/ipv6.c | 2 +-
- 4 files changed, 13 insertions(+), 6 deletions(-)
-
---- a/include/net/sock.h
-+++ b/include/net/sock.h
-@@ -1669,7 +1669,13 @@ static inline void sock_put(struct sock
- */
- void sock_gen_put(struct sock *sk);
-
--int sk_receive_skb(struct sock *sk, struct sk_buff *skb, const int nested);
-+int __sk_receive_skb(struct sock *sk, struct sk_buff *skb, const int nested,
-+ unsigned int trim_cap);
-+static inline int sk_receive_skb(struct sock *sk, struct sk_buff *skb,
-+ const int nested)
-+{
-+ return __sk_receive_skb(sk, skb, nested, 1);
-+}
-
- static inline void sk_tx_queue_set(struct sock *sk, int tx_queue)
- {
---- a/net/core/sock.c
-+++ b/net/core/sock.c
-@@ -480,11 +480,12 @@ int sock_queue_rcv_skb(struct sock *sk,
- }
- EXPORT_SYMBOL(sock_queue_rcv_skb);
-
--int sk_receive_skb(struct sock *sk, struct sk_buff *skb, const int nested)
-+int __sk_receive_skb(struct sock *sk, struct sk_buff *skb,
-+ const int nested, unsigned int trim_cap)
- {
- int rc = NET_RX_SUCCESS;
-
-- if (sk_filter(sk, skb))
-+ if (sk_filter_trim_cap(sk, skb, trim_cap))
- goto discard_and_relse;
-
- skb->dev = NULL;
-@@ -520,7 +521,7 @@ discard_and_relse:
- kfree_skb(skb);
- goto out;
- }
--EXPORT_SYMBOL(sk_receive_skb);
-+EXPORT_SYMBOL(__sk_receive_skb);
-
- struct dst_entry *__sk_dst_check(struct sock *sk, u32 cookie)
- {
---- a/net/dccp/ipv4.c
-+++ b/net/dccp/ipv4.c
-@@ -890,7 +890,7 @@ static int dccp_v4_rcv(struct sk_buff *s
- goto discard_and_relse;
- nf_reset(skb);
-
-- return sk_receive_skb(sk, skb, 1);
-+ return __sk_receive_skb(sk, skb, 1, dh->dccph_doff * 4);
-
- no_dccp_socket:
- if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
---- a/net/dccp/ipv6.c
-+++ b/net/dccp/ipv6.c
-@@ -804,7 +804,7 @@ static int dccp_v6_rcv(struct sk_buff *s
- if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
- goto discard_and_relse;
-
-- return sk_receive_skb(sk, skb, 1) ? -1 : 0;
-+ return __sk_receive_skb(sk, skb, 1, dh->dccph_doff * 4) ? -1 : 0;
-
- no_dccp_socket:
- if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb))
diff --git a/debian/patches/bugfix/all/fbdev-color-map-copying-bounds-checking.patch b/debian/patches/bugfix/all/fbdev-color-map-copying-bounds-checking.patch
deleted file mode 100644
index 7f0b091..0000000
--- a/debian/patches/bugfix/all/fbdev-color-map-copying-bounds-checking.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From: Kees Cook <keescook at chromium.org>
-Date: Tue, 24 Jan 2017 15:18:24 -0800
-Subject: fbdev: color map copying bounds checking
-Origin: https://git.kernel.org/linus/2dc705a9930b4806250fbf5a76e55266e59389f2
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-8405
-
-Copying color maps to userspace doesn't check the value of to->start,
-which will cause kernel heap buffer OOB read due to signedness wraps.
-
-CVE-2016-8405
-
-Link: http://lkml.kernel.org/r/20170105224249.GA50925@beast
-Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
-Signed-off-by: Kees Cook <keescook at chromium.org>
-Reported-by: Peter Pi (@heisecode) of Trend Micro
-Cc: Min Chong <mchong at google.com>
-Cc: Dan Carpenter <dan.carpenter at oracle.com>
-Cc: Tomi Valkeinen <tomi.valkeinen at ti.com>
-Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie at samsung.com>
-Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- drivers/video/fbdev/core/fbcmap.c | 26 ++++++++++++++------------
- 1 file changed, 14 insertions(+), 12 deletions(-)
-
-diff --git a/drivers/video/fbdev/core/fbcmap.c b/drivers/video/fbdev/core/fbcmap.c
-index f89245b8ba8e..68a113594808 100644
---- a/drivers/video/fbdev/core/fbcmap.c
-+++ b/drivers/video/fbdev/core/fbcmap.c
-@@ -163,17 +163,18 @@ void fb_dealloc_cmap(struct fb_cmap *cmap)
-
- int fb_copy_cmap(const struct fb_cmap *from, struct fb_cmap *to)
- {
-- int tooff = 0, fromoff = 0;
-- int size;
-+ unsigned int tooff = 0, fromoff = 0;
-+ size_t size;
-
- if (to->start > from->start)
- fromoff = to->start - from->start;
- else
- tooff = from->start - to->start;
-- size = to->len - tooff;
-- if (size > (int) (from->len - fromoff))
-- size = from->len - fromoff;
-- if (size <= 0)
-+ if (fromoff >= from->len || tooff >= to->len)
-+ return -EINVAL;
-+
-+ size = min_t(size_t, to->len - tooff, from->len - fromoff);
-+ if (size == 0)
- return -EINVAL;
- size *= sizeof(u16);
-
-@@ -187,17 +188,18 @@ int fb_copy_cmap(const struct fb_cmap *from, struct fb_cmap *to)
-
- int fb_cmap_to_user(const struct fb_cmap *from, struct fb_cmap_user *to)
- {
-- int tooff = 0, fromoff = 0;
-- int size;
-+ unsigned int tooff = 0, fromoff = 0;
-+ size_t size;
-
- if (to->start > from->start)
- fromoff = to->start - from->start;
- else
- tooff = from->start - to->start;
-- size = to->len - tooff;
-- if (size > (int) (from->len - fromoff))
-- size = from->len - fromoff;
-- if (size <= 0)
-+ if (fromoff >= from->len || tooff >= to->len)
-+ return -EINVAL;
-+
-+ size = min_t(size_t, to->len - tooff, from->len - fromoff);
-+ if (size == 0)
- return -EINVAL;
- size *= sizeof(u16);
-
diff --git a/debian/patches/bugfix/all/fs-give-dentry-to-inode_change_ok-instead-of-inode.patch b/debian/patches/bugfix/all/fs-give-dentry-to-inode_change_ok-instead-of-inode.patch
deleted file mode 100644
index a7edd95..0000000
--- a/debian/patches/bugfix/all/fs-give-dentry-to-inode_change_ok-instead-of-inode.patch
+++ /dev/null
@@ -1,678 +0,0 @@
-From: Jan Kara <jack at suse.cz>
-Date: Thu, 26 May 2016 16:55:18 +0200
-Subject: fs: Give dentry to inode_change_ok() instead of inode
-Origin: https://git.kernel.org/linus/31051c85b5e2aaaf6315f74c72a732673632a905
-
-inode_change_ok() will be resposible for clearing capabilities and IMA
-extended attributes and as such will need dentry. Give it as an argument
-to inode_change_ok() instead of an inode. Also rename inode_change_ok()
-to setattr_prepare() to better relect that it does also some
-modifications in addition to checks.
-
-Reviewed-by: Christoph Hellwig <hch at lst.de>
-Signed-off-by: Jan Kara <jack at suse.cz>
-[bwh: Backported to 3.16:
- - Drop changes to orangefs, overlayfs
- - Adjust filenames, context
- - In nfsd, pass dentry to nfsd_sanitize_attrs()
- - Update ext3 as well]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
---- a/Documentation/filesystems/porting
-+++ b/Documentation/filesystems/porting
-@@ -287,8 +287,8 @@ implementing on-disk size changes. Star
- and vmtruncate, and the reorder the vmtruncate + foofs_vmtruncate sequence to
- be in order of zeroing blocks using block_truncate_page or similar helpers,
- size update and on finally on-disk truncation which should not fail.
--inode_change_ok now includes the size checks for ATTR_SIZE and must be called
--in the beginning of ->setattr unconditionally.
-+setattr_prepare (which used to be inode_change_ok) now includes the size checks
-+for ATTR_SIZE and must be called in the beginning of ->setattr unconditionally.
-
- [mandatory]
-
---- a/drivers/staging/lustre/lustre/llite/llite_lib.c
-+++ b/drivers/staging/lustre/lustre/llite/llite_lib.c
-@@ -1386,7 +1386,7 @@ int ll_setattr_raw(struct dentry *dentry
- attr->ia_valid |= ATTR_MTIME | ATTR_CTIME;
- }
-
-- /* POSIX: check before ATTR_*TIME_SET set (from inode_change_ok) */
-+ /* POSIX: check before ATTR_*TIME_SET set (from setattr_prepare) */
- if (attr->ia_valid & TIMES_SET_FLAGS) {
- if ((!uid_eq(current_fsuid(), inode->i_uid)) &&
- !capable(CFS_CAP_FOWNER))
---- a/fs/9p/vfs_inode.c
-+++ b/fs/9p/vfs_inode.c
-@@ -1094,7 +1094,7 @@ static int v9fs_vfs_setattr(struct dentr
- struct p9_wstat wstat;
-
- p9_debug(P9_DEBUG_VFS, "\n");
-- retval = inode_change_ok(dentry->d_inode, iattr);
-+ retval = setattr_prepare(dentry, iattr);
- if (retval)
- return retval;
-
---- a/fs/9p/vfs_inode_dotl.c
-+++ b/fs/9p/vfs_inode_dotl.c
-@@ -560,7 +560,7 @@ int v9fs_vfs_setattr_dotl(struct dentry
-
- p9_debug(P9_DEBUG_VFS, "\n");
-
-- retval = inode_change_ok(inode, iattr);
-+ retval = setattr_prepare(dentry, iattr);
- if (retval)
- return retval;
-
---- a/fs/adfs/inode.c
-+++ b/fs/adfs/inode.c
-@@ -303,7 +303,7 @@ adfs_notify_change(struct dentry *dentry
- unsigned int ia_valid = attr->ia_valid;
- int error;
-
-- error = inode_change_ok(inode, attr);
-+ error = setattr_prepare(dentry, attr);
-
- /*
- * we can't change the UID or GID of any file -
---- a/fs/affs/inode.c
-+++ b/fs/affs/inode.c
-@@ -222,7 +222,7 @@ affs_notify_change(struct dentry *dentry
-
- pr_debug("notify_change(%lu,0x%x)\n", inode->i_ino, attr->ia_valid);
-
-- error = inode_change_ok(inode,attr);
-+ error = setattr_prepare(dentry, attr);
- if (error)
- goto out;
-
---- a/fs/attr.c
-+++ b/fs/attr.c
-@@ -17,19 +17,22 @@
- #include <linux/ima.h>
-
- /**
-- * inode_change_ok - check if attribute changes to an inode are allowed
-- * @inode: inode to check
-+ * setattr_prepare - check if attribute changes to a dentry are allowed
-+ * @dentry: dentry to check
- * @attr: attributes to change
- *
- * Check if we are allowed to change the attributes contained in @attr
-- * in the given inode. This includes the normal unix access permission
-- * checks, as well as checks for rlimits and others.
-+ * in the given dentry. This includes the normal unix access permission
-+ * checks, as well as checks for rlimits and others. The function also clears
-+ * SGID bit from mode if user is not allowed to set it. Also file capabilities
-+ * and IMA extended attributes are cleared if ATTR_KILL_PRIV is set.
- *
- * Should be called as the first thing in ->setattr implementations,
- * possibly after taking additional locks.
- */
--int inode_change_ok(const struct inode *inode, struct iattr *attr)
-+int setattr_prepare(struct dentry *dentry, struct iattr *attr)
- {
-+ struct inode *inode = d_inode(dentry);
- unsigned int ia_valid = attr->ia_valid;
-
- /*
-@@ -89,7 +92,7 @@ kill_priv:
-
- return 0;
- }
--EXPORT_SYMBOL(inode_change_ok);
-+EXPORT_SYMBOL(setattr_prepare);
-
- /**
- * inode_newsize_ok - may this inode be truncated to a given size
---- a/fs/btrfs/inode.c
-+++ b/fs/btrfs/inode.c
-@@ -4690,7 +4690,7 @@ static int btrfs_setattr(struct dentry *
- if (btrfs_root_readonly(root))
- return -EROFS;
-
-- err = inode_change_ok(inode, attr);
-+ err = setattr_prepare(dentry, attr);
- if (err)
- return err;
-
---- a/fs/ceph/inode.c
-+++ b/fs/ceph/inode.c
-@@ -1708,7 +1708,7 @@ int ceph_setattr(struct dentry *dentry,
- if (ceph_snap(inode) != CEPH_NOSNAP)
- return -EROFS;
-
-- err = inode_change_ok(inode, attr);
-+ err = setattr_prepare(dentry, attr);
- if (err != 0)
- return err;
-
---- a/fs/cifs/inode.c
-+++ b/fs/cifs/inode.c
-@@ -2074,7 +2074,7 @@ cifs_setattr_unix(struct dentry *direntr
- if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NO_PERM)
- attrs->ia_valid |= ATTR_FORCE;
-
-- rc = inode_change_ok(inode, attrs);
-+ rc = setattr_prepare(direntry, attrs);
- if (rc < 0)
- goto out;
-
-@@ -2215,7 +2215,7 @@ cifs_setattr_nounix(struct dentry *diren
- if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NO_PERM)
- attrs->ia_valid |= ATTR_FORCE;
-
-- rc = inode_change_ok(inode, attrs);
-+ rc = setattr_prepare(direntry, attrs);
- if (rc < 0) {
- free_xid(xid);
- return rc;
---- a/fs/ecryptfs/inode.c
-+++ b/fs/ecryptfs/inode.c
-@@ -952,7 +952,7 @@ static int ecryptfs_setattr(struct dentr
- }
- mutex_unlock(&crypt_stat->cs_mutex);
-
-- rc = inode_change_ok(inode, ia);
-+ rc = setattr_prepare(dentry, ia);
- if (rc)
- goto out;
- if (ia->ia_valid & ATTR_SIZE) {
---- a/fs/exofs/inode.c
-+++ b/fs/exofs/inode.c
-@@ -1039,7 +1039,7 @@ int exofs_setattr(struct dentry *dentry,
- if (unlikely(error))
- return error;
-
-- error = inode_change_ok(inode, iattr);
-+ error = setattr_prepare(dentry, iattr);
- if (unlikely(error))
- return error;
-
---- a/fs/ext2/inode.c
-+++ b/fs/ext2/inode.c
-@@ -1547,7 +1547,7 @@ int ext2_setattr(struct dentry *dentry,
- struct inode *inode = dentry->d_inode;
- int error;
-
-- error = inode_change_ok(inode, iattr);
-+ error = setattr_prepare(dentry, iattr);
- if (error)
- return error;
-
---- a/fs/ext3/inode.c
-+++ b/fs/ext3/inode.c
-@@ -3244,7 +3244,7 @@ int ext3_setattr(struct dentry *dentry,
- int error, rc = 0;
- const unsigned int ia_valid = attr->ia_valid;
-
-- error = inode_change_ok(inode, attr);
-+ error = setattr_prepare(dentry, attr);
- if (error)
- return error;
-
---- a/fs/ext4/inode.c
-+++ b/fs/ext4/inode.c
-@@ -4672,7 +4672,7 @@ int ext4_setattr(struct dentry *dentry,
- int orphan = 0;
- const unsigned int ia_valid = attr->ia_valid;
-
-- error = inode_change_ok(inode, attr);
-+ error = setattr_prepare(dentry, attr);
- if (error)
- return error;
-
---- a/fs/f2fs/file.c
-+++ b/fs/f2fs/file.c
-@@ -500,7 +500,7 @@ int f2fs_setattr(struct dentry *dentry,
- struct f2fs_inode_info *fi = F2FS_I(inode);
- int err;
-
-- err = inode_change_ok(inode, attr);
-+ err = setattr_prepare(dentry, attr);
- if (err)
- return err;
-
---- a/fs/fat/file.c
-+++ b/fs/fat/file.c
-@@ -394,7 +394,7 @@ int fat_setattr(struct dentry *dentry, s
- attr->ia_valid &= ~TIMES_SET_FLAGS;
- }
-
-- error = inode_change_ok(inode, attr);
-+ error = setattr_prepare(dentry, attr);
- attr->ia_valid = ia_valid;
- if (error) {
- if (sbi->options.quiet)
---- a/fs/fuse/dir.c
-+++ b/fs/fuse/dir.c
-@@ -1722,7 +1722,7 @@ int fuse_do_setattr(struct dentry *dentr
- if (!(fc->flags & FUSE_DEFAULT_PERMISSIONS))
- attr->ia_valid |= ATTR_FORCE;
-
-- err = inode_change_ok(inode, attr);
-+ err = setattr_prepare(dentry, attr);
- if (err)
- return err;
-
---- a/fs/gfs2/inode.c
-+++ b/fs/gfs2/inode.c
-@@ -1774,7 +1774,7 @@ static int gfs2_setattr(struct dentry *d
- if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
- goto out;
-
-- error = inode_change_ok(inode, attr);
-+ error = setattr_prepare(dentry, attr);
- if (error)
- goto out;
-
---- a/fs/hfs/inode.c
-+++ b/fs/hfs/inode.c
-@@ -604,7 +604,7 @@ int hfs_inode_setattr(struct dentry *den
- struct hfs_sb_info *hsb = HFS_SB(inode->i_sb);
- int error;
-
-- error = inode_change_ok(inode, attr); /* basic permission checks */
-+ error = setattr_prepare(dentry, attr); /* basic permission checks */
- if (error)
- return error;
-
---- a/fs/hfsplus/inode.c
-+++ b/fs/hfsplus/inode.c
-@@ -247,7 +247,7 @@ static int hfsplus_setattr(struct dentry
- struct inode *inode = dentry->d_inode;
- int error;
-
-- error = inode_change_ok(inode, attr);
-+ error = setattr_prepare(dentry, attr);
- if (error)
- return error;
-
---- a/fs/hostfs/hostfs_kern.c
-+++ b/fs/hostfs/hostfs_kern.c
-@@ -792,7 +792,7 @@ static int hostfs_setattr(struct dentry
-
- int fd = HOSTFS_I(inode)->fd;
-
-- err = inode_change_ok(inode, attr);
-+ err = setattr_prepare(dentry, attr);
- if (err)
- return err;
-
---- a/fs/hpfs/inode.c
-+++ b/fs/hpfs/inode.c
-@@ -272,7 +272,7 @@ int hpfs_setattr(struct dentry *dentry,
- if ((attr->ia_valid & ATTR_SIZE) && attr->ia_size > inode->i_size)
- goto out_unlock;
-
-- error = inode_change_ok(inode, attr);
-+ error = setattr_prepare(dentry, attr);
- if (error)
- goto out_unlock;
-
---- a/fs/hugetlbfs/inode.c
-+++ b/fs/hugetlbfs/inode.c
-@@ -429,7 +429,7 @@ static int hugetlbfs_setattr(struct dent
-
- BUG_ON(!inode);
-
-- error = inode_change_ok(inode, attr);
-+ error = setattr_prepare(dentry, attr);
- if (error)
- return error;
-
---- a/fs/jffs2/fs.c
-+++ b/fs/jffs2/fs.c
-@@ -193,7 +193,7 @@ int jffs2_setattr(struct dentry *dentry,
- struct inode *inode = dentry->d_inode;
- int rc;
-
-- rc = inode_change_ok(inode, iattr);
-+ rc = setattr_prepare(dentry, iattr);
- if (rc)
- return rc;
-
---- a/fs/jfs/file.c
-+++ b/fs/jfs/file.c
-@@ -103,7 +103,7 @@ int jfs_setattr(struct dentry *dentry, s
- struct inode *inode = dentry->d_inode;
- int rc;
-
-- rc = inode_change_ok(inode, iattr);
-+ rc = setattr_prepare(dentry, iattr);
- if (rc)
- return rc;
-
---- a/fs/kernfs/inode.c
-+++ b/fs/kernfs/inode.c
-@@ -131,7 +131,7 @@ int kernfs_iop_setattr(struct dentry *de
- return -EINVAL;
-
- mutex_lock(&kernfs_mutex);
-- error = inode_change_ok(inode, iattr);
-+ error = setattr_prepare(dentry, iattr);
- if (error)
- goto out;
-
---- a/fs/libfs.c
-+++ b/fs/libfs.c
-@@ -371,7 +371,7 @@ int simple_setattr(struct dentry *dentry
- struct inode *inode = dentry->d_inode;
- int error;
-
-- error = inode_change_ok(inode, iattr);
-+ error = setattr_prepare(dentry, iattr);
- if (error)
- return error;
-
---- a/fs/logfs/file.c
-+++ b/fs/logfs/file.c
-@@ -244,7 +244,7 @@ static int logfs_setattr(struct dentry *
- struct inode *inode = dentry->d_inode;
- int err = 0;
-
-- err = inode_change_ok(inode, attr);
-+ err = setattr_prepare(dentry, attr);
- if (err)
- return err;
-
---- a/fs/minix/file.c
-+++ b/fs/minix/file.c
-@@ -28,7 +28,7 @@ static int minix_setattr(struct dentry *
- struct inode *inode = dentry->d_inode;
- int error;
-
-- error = inode_change_ok(inode, attr);
-+ error = setattr_prepare(dentry, attr);
- if (error)
- return error;
-
---- a/fs/ncpfs/inode.c
-+++ b/fs/ncpfs/inode.c
-@@ -885,7 +885,7 @@ int ncp_notify_change(struct dentry *den
- /* ageing the dentry to force validation */
- ncp_age_dentry(server, dentry);
-
-- result = inode_change_ok(inode, attr);
-+ result = setattr_prepare(dentry, attr);
- if (result < 0)
- goto out;
-
---- a/fs/nfsd/vfs.c
-+++ b/fs/nfsd/vfs.c
-@@ -300,17 +300,19 @@ commit_metadata(struct svc_fh *fhp)
- * NFS semantics and what Linux expects.
- */
- static void
--nfsd_sanitize_attrs(struct inode *inode, struct iattr *iap)
-+nfsd_sanitize_attrs(struct dentry *dentry, struct iattr *iap)
- {
-+ struct inode *inode = dentry->d_inode;
-+
- /*
- * NFSv2 does not differentiate between "set-[ac]time-to-now"
- * which only requires access, and "set-[ac]time-to-X" which
- * requires ownership.
- * So if it looks like it might be "set both to the same time which
-- * is close to now", and if inode_change_ok fails, then we
-+ * is close to now", and if setattr_prepare fails, then we
- * convert to "set to now" instead of "set to explicit time"
- *
-- * We only call inode_change_ok as the last test as technically
-+ * We only call setattr_prepare as the last test as technically
- * it is not an interface that we should be using.
- */
- #define BOTH_TIME_SET (ATTR_ATIME_SET | ATTR_MTIME_SET)
-@@ -328,7 +330,7 @@ nfsd_sanitize_attrs(struct inode *inode,
- if (delta < 0)
- delta = -delta;
- if (delta < MAX_TOUCH_TIME_ERROR &&
-- inode_change_ok(inode, iap) != 0) {
-+ setattr_prepare(dentry, iap) != 0) {
- /*
- * Turn off ATTR_[AM]TIME_SET but leave ATTR_[AM]TIME.
- * This will cause notify_change to set these times
-@@ -435,7 +437,7 @@ nfsd_setattr(struct svc_rqst *rqstp, str
- if (!iap->ia_valid)
- goto out;
-
-- nfsd_sanitize_attrs(inode, iap);
-+ nfsd_sanitize_attrs(dentry, iap);
-
- /*
- * The size case is special, it changes the file in addition to the
---- a/fs/nilfs2/inode.c
-+++ b/fs/nilfs2/inode.c
-@@ -839,7 +839,7 @@ int nilfs_setattr(struct dentry *dentry,
- struct super_block *sb = inode->i_sb;
- int err;
-
-- err = inode_change_ok(inode, iattr);
-+ err = setattr_prepare(dentry, iattr);
- if (err)
- return err;
-
---- a/fs/ntfs/inode.c
-+++ b/fs/ntfs/inode.c
-@@ -2891,7 +2891,7 @@ int ntfs_setattr(struct dentry *dentry,
- int err;
- unsigned int ia_valid = attr->ia_valid;
-
-- err = inode_change_ok(vi, attr);
-+ err = setattr_prepare(dentry, attr);
- if (err)
- goto out;
- /* We do not support NTFS ACLs yet. */
---- a/fs/ocfs2/dlmfs/dlmfs.c
-+++ b/fs/ocfs2/dlmfs/dlmfs.c
-@@ -211,7 +211,7 @@ static int dlmfs_file_setattr(struct den
- struct inode *inode = dentry->d_inode;
-
- attr->ia_valid &= ~ATTR_SIZE;
-- error = inode_change_ok(inode, attr);
-+ error = setattr_prepare(dentry, attr);
- if (error)
- return error;
-
---- a/fs/ocfs2/file.c
-+++ b/fs/ocfs2/file.c
-@@ -1144,7 +1144,7 @@ int ocfs2_setattr(struct dentry *dentry,
- if (!(attr->ia_valid & OCFS2_VALID_ATTRS))
- return 0;
-
-- status = inode_change_ok(inode, attr);
-+ status = setattr_prepare(dentry, attr);
- if (status)
- return status;
-
---- a/fs/omfs/file.c
-+++ b/fs/omfs/file.c
-@@ -351,7 +351,7 @@ static int omfs_setattr(struct dentry *d
- struct inode *inode = dentry->d_inode;
- int error;
-
-- error = inode_change_ok(inode, attr);
-+ error = setattr_prepare(dentry, attr);
- if (error)
- return error;
-
---- a/fs/proc/base.c
-+++ b/fs/proc/base.c
-@@ -536,7 +536,7 @@ int proc_setattr(struct dentry *dentry,
- if (attr->ia_valid & ATTR_MODE)
- return -EPERM;
-
-- error = inode_change_ok(inode, attr);
-+ error = setattr_prepare(dentry, attr);
- if (error)
- return error;
-
---- a/fs/proc/generic.c
-+++ b/fs/proc/generic.c
-@@ -41,7 +41,7 @@ static int proc_notify_change(struct den
- struct proc_dir_entry *de = PDE(inode);
- int error;
-
-- error = inode_change_ok(inode, iattr);
-+ error = setattr_prepare(dentry, iattr);
- if (error)
- return error;
-
---- a/fs/proc/proc_sysctl.c
-+++ b/fs/proc/proc_sysctl.c
-@@ -753,7 +753,7 @@ static int proc_sys_setattr(struct dentr
- if (attr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
- return -EPERM;
-
-- error = inode_change_ok(inode, attr);
-+ error = setattr_prepare(dentry, attr);
- if (error)
- return error;
-
---- a/fs/ramfs/file-nommu.c
-+++ b/fs/ramfs/file-nommu.c
-@@ -163,7 +163,7 @@ static int ramfs_nommu_setattr(struct de
- int ret = 0;
-
- /* POSIX UID/GID verification for setting inode attributes */
-- ret = inode_change_ok(inode, ia);
-+ ret = setattr_prepare(dentry, ia);
- if (ret)
- return ret;
-
---- a/fs/reiserfs/inode.c
-+++ b/fs/reiserfs/inode.c
-@@ -3312,7 +3312,7 @@ int reiserfs_setattr(struct dentry *dent
- unsigned int ia_valid;
- int error;
-
-- error = inode_change_ok(inode, attr);
-+ error = setattr_prepare(dentry, attr);
- if (error)
- return error;
-
---- a/fs/sysv/file.c
-+++ b/fs/sysv/file.c
-@@ -35,7 +35,7 @@ static int sysv_setattr(struct dentry *d
- struct inode *inode = dentry->d_inode;
- int error;
-
-- error = inode_change_ok(inode, attr);
-+ error = setattr_prepare(dentry, attr);
- if (error)
- return error;
-
---- a/fs/ubifs/file.c
-+++ b/fs/ubifs/file.c
-@@ -1262,7 +1262,7 @@ int ubifs_setattr(struct dentry *dentry,
-
- dbg_gen("ino %lu, mode %#x, ia_valid %#x",
- inode->i_ino, inode->i_mode, attr->ia_valid);
-- err = inode_change_ok(inode, attr);
-+ err = setattr_prepare(dentry, attr);
- if (err)
- return err;
-
---- a/fs/udf/file.c
-+++ b/fs/udf/file.c
-@@ -269,7 +269,7 @@ static int udf_setattr(struct dentry *de
- struct inode *inode = dentry->d_inode;
- int error;
-
-- error = inode_change_ok(inode, attr);
-+ error = setattr_prepare(dentry, attr);
- if (error)
- return error;
-
---- a/fs/ufs/truncate.c
-+++ b/fs/ufs/truncate.c
-@@ -496,7 +496,7 @@ int ufs_setattr(struct dentry *dentry, s
- unsigned int ia_valid = attr->ia_valid;
- int error;
-
-- error = inode_change_ok(inode, attr);
-+ error = setattr_prepare(dentry, attr);
- if (error)
- return error;
-
---- a/fs/utimes.c
-+++ b/fs/utimes.c
-@@ -81,7 +81,7 @@ static int utimes_common(struct path *pa
- newattrs.ia_valid |= ATTR_MTIME_SET;
- }
- /*
-- * Tell inode_change_ok(), that this is an explicit time
-+ * Tell setattr_prepare(), that this is an explicit time
- * update, even if neither ATTR_ATIME_SET nor ATTR_MTIME_SET
- * were used.
- */
-@@ -90,7 +90,7 @@ static int utimes_common(struct path *pa
- /*
- * If times is NULL (or both times are UTIME_NOW),
- * then we need to check permissions, because
-- * inode_change_ok() won't do it.
-+ * setattr_prepare() won't do it.
- */
- error = -EACCES;
- if (IS_IMMUTABLE(inode))
---- a/fs/xfs/xfs_iops.c
-+++ b/fs/xfs/xfs_iops.c
-@@ -530,9 +530,7 @@ xfs_vn_change_ok(
- struct dentry *dentry,
- struct iattr *iattr)
- {
-- struct inode *inode = d_inode(dentry);
-- struct xfs_inode *ip = XFS_I(inode);
-- struct xfs_mount *mp = ip->i_mount;
-+ struct xfs_mount *mp = XFS_I(d_inode(dentry))->i_mount;
-
- if (mp->m_flags & XFS_MOUNT_RDONLY)
- return XFS_ERROR(EROFS);
-@@ -540,14 +538,14 @@ xfs_vn_change_ok(
- if (XFS_FORCED_SHUTDOWN(mp))
- return XFS_ERROR(EIO);
-
-- return XFS_ERROR(-inode_change_ok(inode, iattr));
-+ return XFS_ERROR(-setattr_prepare(dentry, iattr));
- }
-
- /*
- * Set non-size attributes of an inode.
- *
- * Caution: The caller of this function is responsible for calling
-- * inode_change_ok() or otherwise verifying the change is fine.
-+ * setattr_prepare() or otherwise verifying the change is fine.
- */
- int
- xfs_setattr_nonsize(
-@@ -758,7 +756,7 @@ xfs_vn_setattr_nonsize(
- * Truncate file. Must have write permission and not be a directory.
- *
- * Caution: The caller of this function is responsible for calling
-- * inode_change_ok() or otherwise verifying the change is fine.
-+ * setattr_prepare() or otherwise verifying the change is fine.
- */
- int
- xfs_setattr_size(
---- a/include/linux/fs.h
-+++ b/include/linux/fs.h
-@@ -2629,7 +2629,7 @@ extern int buffer_migrate_page(struct ad
- #define buffer_migrate_page NULL
- #endif
-
--extern int inode_change_ok(const struct inode *, struct iattr *);
-+extern int setattr_prepare(struct dentry *, struct iattr *);
- extern int inode_newsize_ok(const struct inode *, loff_t offset);
- extern void setattr_copy(struct inode *inode, const struct iattr *attr);
-
---- a/mm/shmem.c
-+++ b/mm/shmem.c
-@@ -540,7 +540,7 @@ static int shmem_setattr(struct dentry *
- struct inode *inode = dentry->d_inode;
- int error;
-
-- error = inode_change_ok(inode, attr);
-+ error = setattr_prepare(dentry, attr);
- if (error)
- return error;
-
diff --git a/debian/patches/bugfix/all/fuse-propagate-dentry-down-to-inode_change_ok.patch b/debian/patches/bugfix/all/fuse-propagate-dentry-down-to-inode_change_ok.patch
deleted file mode 100644
index b24af47..0000000
--- a/debian/patches/bugfix/all/fuse-propagate-dentry-down-to-inode_change_ok.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From: Jan Kara <jack at suse.cz>
-Date: Thu, 26 May 2016 17:12:41 +0200
-Subject: fuse: Propagate dentry down to inode_change_ok()
-Origin: https://git.kernel.org/linus/62490330769c1ce5dcba3f1f3e8f4005e9b797e6
-
-To avoid clearing of capabilities or security related extended
-attributes too early, inode_change_ok() will need to take dentry instead
-of inode. Propagate it down to fuse_do_setattr().
-
-Acked-by: Miklos Szeredi <mszeredi at redhat.com>
-Reviewed-by: Christoph Hellwig <hch at lst.de>
-Signed-off-by: Jan Kara <jack at suse.cz>
-[bwh: Backported to 3.16: open-code file_dentry()]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- fs/fuse/dir.c | 7 ++++---
- fs/fuse/file.c | 2 +-
- fs/fuse/fuse_i.h | 2 +-
- 3 files changed, 6 insertions(+), 5 deletions(-)
-
---- a/fs/fuse/dir.c
-+++ b/fs/fuse/dir.c
-@@ -1704,9 +1704,10 @@ int fuse_flush_times(struct inode *inode
- * vmtruncate() doesn't allow for this case, so do the rlimit checking
- * and the actual truncation by hand.
- */
--int fuse_do_setattr(struct inode *inode, struct iattr *attr,
-+int fuse_do_setattr(struct dentry *dentry, struct iattr *attr,
- struct file *file)
- {
-+ struct inode *inode = d_inode(dentry);
- struct fuse_conn *fc = get_fuse_conn(inode);
- struct fuse_inode *fi = get_fuse_inode(inode);
- struct fuse_req *req;
-@@ -1826,9 +1827,9 @@ static int fuse_setattr(struct dentry *e
- return -EACCES;
-
- if (attr->ia_valid & ATTR_FILE)
-- return fuse_do_setattr(inode, attr, attr->ia_file);
-+ return fuse_do_setattr(entry, attr, attr->ia_file);
- else
-- return fuse_do_setattr(inode, attr, NULL);
-+ return fuse_do_setattr(entry, attr, NULL);
- }
-
- static int fuse_getattr(struct vfsmount *mnt, struct dentry *entry,
---- a/fs/fuse/file.c
-+++ b/fs/fuse/file.c
-@@ -2879,7 +2879,7 @@ static void fuse_do_truncate(struct file
- attr.ia_file = file;
- attr.ia_valid |= ATTR_FILE;
-
-- fuse_do_setattr(inode, &attr, file);
-+ fuse_do_setattr(file->f_dentry, &attr, file);
- }
-
- static inline loff_t fuse_round_up(loff_t off)
---- a/fs/fuse/fuse_i.h
-+++ b/fs/fuse/fuse_i.h
-@@ -894,7 +894,7 @@ bool fuse_write_update_size(struct inode
- int fuse_flush_times(struct inode *inode, struct fuse_file *ff);
- int fuse_write_inode(struct inode *inode, struct writeback_control *wbc);
-
--int fuse_do_setattr(struct inode *inode, struct iattr *attr,
-+int fuse_do_setattr(struct dentry *dentry, struct iattr *attr,
- struct file *file);
-
- #endif /* _FS_FUSE_I_H */
diff --git a/debian/patches/bugfix/all/hid-core-prevent-out-of-bound-readings.patch b/debian/patches/bugfix/all/hid-core-prevent-out-of-bound-readings.patch
deleted file mode 100644
index f3a979a..0000000
--- a/debian/patches/bugfix/all/hid-core-prevent-out-of-bound-readings.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From: Benjamin Tissoires <benjamin.tissoires at redhat.com>
-Date: Tue, 19 Jan 2016 12:34:58 +0100
-Subject: HID: core: prevent out-of-bound readings
-Origin: https://git.kernel.org/linus/50220dead1650609206efe91f0cc116132d59b3f
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-7915
-
-Plugging a Logitech DJ receiver with KASAN activated raises a bunch of
-out-of-bound readings.
-
-The fields are allocated up to MAX_USAGE, meaning that potentially, we do
-not have enough fields to fit the incoming values.
-Add checks and silence KASAN.
-
-Signed-off-by: Benjamin Tissoires <benjamin.tissoires at redhat.com>
-Signed-off-by: Jiri Kosina <jkosina at suse.cz>
----
- drivers/hid/hid-core.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/drivers/hid/hid-core.c
-+++ b/drivers/hid/hid-core.c
-@@ -1208,6 +1208,7 @@ static void hid_input_field(struct hid_d
- /* Ignore report if ErrorRollOver */
- if (!(field->flags & HID_MAIN_ITEM_VARIABLE) &&
- value[n] >= min && value[n] <= max &&
-+ value[n] - min < field->maxusage &&
- field->usage[value[n] - min].hid == HID_UP_KEYBOARD + 1)
- goto exit;
- }
-@@ -1220,11 +1221,13 @@ static void hid_input_field(struct hid_d
- }
-
- if (field->value[n] >= min && field->value[n] <= max
-+ && field->value[n] - min < field->maxusage
- && field->usage[field->value[n] - min].hid
- && search(value, field->value[n], count))
- hid_process_event(hid, field, &field->usage[field->value[n] - min], 0, interrupt);
-
- if (value[n] >= min && value[n] <= max
-+ && value[n] - min < field->maxusage
- && field->usage[value[n] - min].hid
- && search(field->value, value[n], count))
- hid_process_event(hid, field, &field->usage[value[n] - min], 1, interrupt);
diff --git a/debian/patches/bugfix/all/ip6_gre-fix-ip6gre_err-invalid-reads.patch b/debian/patches/bugfix/all/ip6_gre-fix-ip6gre_err-invalid-reads.patch
deleted file mode 100644
index 18a207c..0000000
--- a/debian/patches/bugfix/all/ip6_gre-fix-ip6gre_err-invalid-reads.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Sat, 4 Feb 2017 23:18:55 -0800
-Subject: ip6_gre: fix ip6gre_err() invalid reads
-Origin: https://git.kernel.org/linus/7892032cfe67f4bde6fc2ee967e45a8fbaf33756
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5897
-
-Andrey Konovalov reported out of bound accesses in ip6gre_err()
-
-If GRE flags contains GRE_KEY, the following expression
-*(((__be32 *)p) + (grehlen / 4) - 1)
-
-accesses data ~40 bytes after the expected point, since
-grehlen includes the size of IPv6 headers.
-
-Let's use a "struct gre_base_hdr *greh" pointer to make this
-code more readable.
-
-p[1] becomes greh->protocol.
-grhlen is the GRE header length.
-
-Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.16:
- - Add #include <net/gre.h>, added earlier upstream
- - Adjust context]
----
- net/ipv6/ip6_gre.c | 40 +++++++++++++++++++++-------------------
- 1 file changed, 21 insertions(+), 19 deletions(-)
-
---- a/net/ipv6/ip6_gre.c
-+++ b/net/ipv6/ip6_gre.c
-@@ -55,6 +55,7 @@
- #include <net/ip6_fib.h>
- #include <net/ip6_route.h>
- #include <net/ip6_tunnel.h>
-+#include <net/gre.h>
-
-
- static bool log_ecn_error = true;
-@@ -364,35 +365,37 @@ static void ip6gre_tunnel_uninit(struct
-
-
- static void ip6gre_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
-- u8 type, u8 code, int offset, __be32 info)
-+ u8 type, u8 code, int offset, __be32 info)
- {
-- const struct ipv6hdr *ipv6h = (const struct ipv6hdr *)skb->data;
-- __be16 *p = (__be16 *)(skb->data + offset);
-- int grehlen = offset + 4;
-+ const struct gre_base_hdr *greh;
-+ const struct ipv6hdr *ipv6h;
-+ int grehlen = sizeof(*greh);
- struct ip6_tnl *t;
-+ int key_off = 0;
- __be16 flags;
-+ __be32 key;
-
-- flags = p[0];
-- if (flags&(GRE_CSUM|GRE_KEY|GRE_SEQ|GRE_ROUTING|GRE_VERSION)) {
-- if (flags&(GRE_VERSION|GRE_ROUTING))
-- return;
-- if (flags&GRE_KEY) {
-- grehlen += 4;
-- if (flags&GRE_CSUM)
-- grehlen += 4;
-- }
-+ if (!pskb_may_pull(skb, offset + grehlen))
-+ return;
-+ greh = (const struct gre_base_hdr *)(skb->data + offset);
-+ flags = greh->flags;
-+ if (flags & (GRE_VERSION | GRE_ROUTING))
-+ return;
-+ if (flags & GRE_CSUM)
-+ grehlen += 4;
-+ if (flags & GRE_KEY) {
-+ key_off = grehlen + offset;
-+ grehlen += 4;
- }
-
-- /* If only 8 bytes returned, keyed message will be dropped here */
-- if (!pskb_may_pull(skb, grehlen))
-+ if (!pskb_may_pull(skb, offset + grehlen))
- return;
- ipv6h = (const struct ipv6hdr *)skb->data;
-- p = (__be16 *)(skb->data + offset);
-+ greh = (const struct gre_base_hdr *)(skb->data + offset);
-+ key = key_off ? *(__be32 *)(skb->data + key_off) : 0;
-
- t = ip6gre_tunnel_lookup(skb->dev, &ipv6h->daddr, &ipv6h->saddr,
-- flags & GRE_KEY ?
-- *(((__be32 *)p) + (grehlen / 4) - 1) : 0,
-- p[1]);
-+ key, greh->protocol);
- if (t == NULL)
- return;
-
diff --git a/debian/patches/bugfix/all/ipc-shm-Fix-shmat-mmap-nil-page-protection.patch b/debian/patches/bugfix/all/ipc-shm-Fix-shmat-mmap-nil-page-protection.patch
deleted file mode 100644
index e688e74..0000000
--- a/debian/patches/bugfix/all/ipc-shm-Fix-shmat-mmap-nil-page-protection.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From: Davidlohr Bueso <dave at stgolabs.net>
-Date: Mon, 27 Feb 2017 14:28:24 -0800
-Subject: ipc/shm: Fix shmat mmap nil-page protection
-Origin: https://git.kernel.org/linus/95e91b831f87ac8e1f8ed50c14d709089b4e01b8
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5669
-
-The issue is described here, with a nice testcase:
-
- https://bugzilla.kernel.org/show_bug.cgi?id=192931
-
-The problem is that shmat() calls do_mmap_pgoff() with MAP_FIXED, and
-the address rounded down to 0. For the regular mmap case, the
-protection mentioned above is that the kernel gets to generate the
-address -- arch_get_unmapped_area() will always check for MAP_FIXED and
-return that address. So by the time we do security_mmap_addr(0) things
-get funky for shmat().
-
-The testcase itself shows that while a regular user crashes, root will
-not have a problem attaching a nil-page. There are two possible fixes
-to this. The first, and which this patch does, is to simply allow root
-to crash as well -- this is also regular mmap behavior, ie when hacking
-up the testcase and adding mmap(... |MAP_FIXED). While this approach
-is the safer option, the second alternative is to ignore SHM_RND if the
-rounded address is 0, thus only having MAP_SHARED flags. This makes the
-behavior of shmat() identical to the mmap() case. The downside of this
-is obviously user visible, but does make sense in that it maintains
-semantics after the round-down wrt 0 address and mmap.
-
-Passes shm related ltp tests.
-
-Link: http://lkml.kernel.org/r/1486050195-18629-1-git-send-email-dave@stgolabs.net
-Signed-off-by: Davidlohr Bueso <dbueso at suse.de>
-Reported-by: Gareth Evans <gareth.evans at contextis.co.uk>
-Cc: Manfred Spraul <manfred at colorfullife.com>
-Cc: Michael Kerrisk <mtk.manpages at googlemail.com>
-Cc: <stable at vger.kernel.org>
-Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
----
- ipc/shm.c | 13 +++++++++----
- 1 file changed, 9 insertions(+), 4 deletions(-)
-
-diff --git a/ipc/shm.c b/ipc/shm.c
-index d7805ac..06ea9ef 100644
---- a/ipc/shm.c
-+++ b/ipc/shm.c
-@@ -1091,8 +1091,8 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)
- * "raddr" thing points to kernel space, and there has to be a wrapper around
- * this.
- */
--long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
-- unsigned long shmlba)
-+long do_shmat(int shmid, char __user *shmaddr, int shmflg,
-+ ulong *raddr, unsigned long shmlba)
- {
- struct shmid_kernel *shp;
- unsigned long addr;
-@@ -1113,8 +1113,13 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
- goto out;
- else if ((addr = (ulong)shmaddr)) {
- if (addr & (shmlba - 1)) {
-- if (shmflg & SHM_RND)
-- addr &= ~(shmlba - 1); /* round down */
-+ /*
-+ * Round down to the nearest multiple of shmlba.
-+ * For sane do_mmap_pgoff() parameters, avoid
-+ * round downs that trigger nil-page and MAP_FIXED.
-+ */
-+ if ((shmflg & SHM_RND) && addr >= shmlba)
-+ addr &= ~(shmlba - 1);
- else
- #ifndef __ARCH_FORCE_SHMLBA
- if (addr & ~PAGE_MASK)
---
-2.1.4
-
diff --git a/debian/patches/bugfix/all/ipv4-keep-skb-dst-around-in-presence-of-ip-options.patch b/debian/patches/bugfix/all/ipv4-keep-skb-dst-around-in-presence-of-ip-options.patch
deleted file mode 100644
index 4233721..0000000
--- a/debian/patches/bugfix/all/ipv4-keep-skb-dst-around-in-presence-of-ip-options.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Sat, 4 Feb 2017 11:16:52 -0800
-Subject: ipv4: keep skb->dst around in presence of IP options
-Origin: https://git.kernel.org/linus/34b2cef20f19c87999fff3da4071e66937db9644
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5970
-
-Andrey Konovalov got crashes in __ip_options_echo() when a NULL skb->dst
-is accessed.
-
-ipv4_pktinfo_prepare() should not drop the dst if (evil) IP options
-are present.
-
-We could refine the test to the presence of ts_needtime or srr,
-but IP options are not often used, so let's be conservative.
-
-Thanks to syzkaller team for finding this bug.
-
-Fixes: d826eb14ecef ("ipv4: PKTINFO doesnt need dst reference")
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/ipv4/ip_sockglue.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
---- a/net/ipv4/ip_sockglue.c
-+++ b/net/ipv4/ip_sockglue.c
-@@ -1079,7 +1079,14 @@ void ipv4_pktinfo_prepare(const struct s
- pktinfo->ipi_ifindex = 0;
- pktinfo->ipi_spec_dst.s_addr = 0;
- }
-- skb_dst_drop(skb);
-+ /* We need to keep the dst for __ip_options_echo()
-+ * We could restrict the test to opt.ts_needtime || opt.srr,
-+ * but the following is good enough as IP options are not often used.
-+ */
-+ if (unlikely(IPCB(skb)->opt.optlen))
-+ skb_dst_force(skb);
-+ else
-+ skb_dst_drop(skb);
- }
-
- int ip_setsockopt(struct sock *sk, int level,
diff --git a/debian/patches/bugfix/all/irda-fix-lockdep-annotations-in-hashbin_delete.patch b/debian/patches/bugfix/all/irda-fix-lockdep-annotations-in-hashbin_delete.patch
deleted file mode 100644
index eca2e4a..0000000
--- a/debian/patches/bugfix/all/irda-fix-lockdep-annotations-in-hashbin_delete.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From: "David S. Miller" <davem at davemloft.net>
-Date: Fri, 17 Feb 2017 16:19:39 -0500
-Subject: irda: Fix lockdep annotations in hashbin_delete().
-Origin: https://git.kernel.org/linus/4c03b862b12f980456f9de92db6d508a4999b788
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-6348
-
-A nested lock depth was added to the hasbin_delete() code but it
-doesn't actually work some well and results in tons of lockdep splats.
-
-Fix the code instead to properly drop the lock around the operation
-and just keep peeking the head of the hashbin queue.
-
-Reported-by: Dmitry Vyukov <dvyukov at google.com>
-Tested-by: Dmitry Vyukov <dvyukov at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- net/irda/irqueue.c | 34 ++++++++++++++++------------------
- 1 file changed, 16 insertions(+), 18 deletions(-)
-
---- a/net/irda/irqueue.c
-+++ b/net/irda/irqueue.c
-@@ -385,9 +385,6 @@ EXPORT_SYMBOL(hashbin_new);
- * for deallocating this structure if it's complex. If not the user can
- * just supply kfree, which should take care of the job.
- */
--#ifdef CONFIG_LOCKDEP
--static int hashbin_lock_depth = 0;
--#endif
- int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func)
- {
- irda_queue_t* queue;
-@@ -398,22 +395,27 @@ int hashbin_delete( hashbin_t* hashbin,
- IRDA_ASSERT(hashbin->magic == HB_MAGIC, return -1;);
-
- /* Synchronize */
-- if ( hashbin->hb_type & HB_LOCK ) {
-- spin_lock_irqsave_nested(&hashbin->hb_spinlock, flags,
-- hashbin_lock_depth++);
-- }
-+ if (hashbin->hb_type & HB_LOCK)
-+ spin_lock_irqsave(&hashbin->hb_spinlock, flags);
-
- /*
- * Free the entries in the hashbin, TODO: use hashbin_clear when
- * it has been shown to work
- */
- for (i = 0; i < HASHBIN_SIZE; i ++ ) {
-- queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]);
-- while (queue ) {
-- if (free_func)
-- (*free_func)(queue);
-- queue = dequeue_first(
-- (irda_queue_t**) &hashbin->hb_queue[i]);
-+ while (1) {
-+ queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]);
-+
-+ if (!queue)
-+ break;
-+
-+ if (free_func) {
-+ if (hashbin->hb_type & HB_LOCK)
-+ spin_unlock_irqrestore(&hashbin->hb_spinlock, flags);
-+ free_func(queue);
-+ if (hashbin->hb_type & HB_LOCK)
-+ spin_lock_irqsave(&hashbin->hb_spinlock, flags);
-+ }
- }
- }
-
-@@ -422,12 +424,8 @@ int hashbin_delete( hashbin_t* hashbin,
- hashbin->magic = ~HB_MAGIC;
-
- /* Release lock */
-- if ( hashbin->hb_type & HB_LOCK) {
-+ if (hashbin->hb_type & HB_LOCK)
- spin_unlock_irqrestore(&hashbin->hb_spinlock, flags);
--#ifdef CONFIG_LOCKDEP
-- hashbin_lock_depth--;
--#endif
-- }
-
- /*
- * Free the hashbin structure
diff --git a/debian/patches/bugfix/all/mpi-fix-null-ptr-dereference-in-mpi_powm-ver-3.patch b/debian/patches/bugfix/all/mpi-fix-null-ptr-dereference-in-mpi_powm-ver-3.patch
deleted file mode 100644
index bb07255..0000000
--- a/debian/patches/bugfix/all/mpi-fix-null-ptr-dereference-in-mpi_powm-ver-3.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-From: Andrey Ryabinin <aryabinin at virtuozzo.com>
-Date: Thu, 24 Nov 2016 13:23:10 +0000
-Subject: mpi: Fix NULL ptr dereference in mpi_powm() [ver #3]
-Origin: https://git.kernel.org/linus/f5527fffff3f002b0a6b376163613b82f69de073
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-8650
-
-This fixes CVE-2016-8650.
-
-If mpi_powm() is given a zero exponent, it wants to immediately return
-either 1 or 0, depending on the modulus. However, if the result was
-initalised with zero limb space, no limbs space is allocated and a
-NULL-pointer exception ensues.
-
-Fix this by allocating a minimal amount of limb space for the result when
-the 0-exponent case when the result is 1 and not touching the limb space
-when the result is 0.
-
-This affects the use of RSA keys and X.509 certificates that carry them.
-
-BUG: unable to handle kernel NULL pointer dereference at (null)
-IP: [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
-PGD 0
-Oops: 0002 [#1] SMP
-Modules linked in:
-CPU: 3 PID: 3014 Comm: keyctl Not tainted 4.9.0-rc6-fscache+ #278
-Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014
-task: ffff8804011944c0 task.stack: ffff880401294000
-RIP: 0010:[<ffffffff8138ce5d>] [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
-RSP: 0018:ffff880401297ad8 EFLAGS: 00010212
-RAX: 0000000000000000 RBX: ffff88040868bec0 RCX: ffff88040868bba0
-RDX: ffff88040868b260 RSI: ffff88040868bec0 RDI: ffff88040868bee0
-RBP: ffff880401297ba8 R08: 0000000000000000 R09: 0000000000000000
-R10: 0000000000000047 R11: ffffffff8183b210 R12: 0000000000000000
-R13: ffff8804087c7600 R14: 000000000000001f R15: ffff880401297c50
-FS: 00007f7a7918c700(0000) GS:ffff88041fb80000(0000) knlGS:0000000000000000
-CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
-CR2: 0000000000000000 CR3: 0000000401250000 CR4: 00000000001406e0
-Stack:
- ffff88040868bec0 0000000000000020 ffff880401297b00 ffffffff81376cd4
- 0000000000000100 ffff880401297b10 ffffffff81376d12 ffff880401297b30
- ffffffff81376f37 0000000000000100 0000000000000000 ffff880401297ba8
-Call Trace:
- [<ffffffff81376cd4>] ? __sg_page_iter_next+0x43/0x66
- [<ffffffff81376d12>] ? sg_miter_get_next_page+0x1b/0x5d
- [<ffffffff81376f37>] ? sg_miter_next+0x17/0xbd
- [<ffffffff8138ba3a>] ? mpi_read_raw_from_sgl+0xf2/0x146
- [<ffffffff8132a95c>] rsa_verify+0x9d/0xee
- [<ffffffff8132acca>] ? pkcs1pad_sg_set_buf+0x2e/0xbb
- [<ffffffff8132af40>] pkcs1pad_verify+0xc0/0xe1
- [<ffffffff8133cb5e>] public_key_verify_signature+0x1b0/0x228
- [<ffffffff8133d974>] x509_check_for_self_signed+0xa1/0xc4
- [<ffffffff8133cdde>] x509_cert_parse+0x167/0x1a1
- [<ffffffff8133d609>] x509_key_preparse+0x21/0x1a1
- [<ffffffff8133c3d7>] asymmetric_key_preparse+0x34/0x61
- [<ffffffff812fc9f3>] key_create_or_update+0x145/0x399
- [<ffffffff812fe227>] SyS_add_key+0x154/0x19e
- [<ffffffff81001c2b>] do_syscall_64+0x80/0x191
- [<ffffffff816825e4>] entry_SYSCALL64_slow_path+0x25/0x25
-Code: 56 41 55 41 54 53 48 81 ec a8 00 00 00 44 8b 71 04 8b 42 04 4c 8b 67 18 45 85 f6 89 45 80 0f 84 b4 06 00 00 85 c0 75 2f 41 ff ce <49> c7 04 24 01 00 00 00 b0 01 75 0b 48 8b 41 18 48 83 38 01 0f
-RIP [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
- RSP <ffff880401297ad8>
-CR2: 0000000000000000
----[ end trace d82015255d4a5d8d ]---
-
-Basically, this is a backport of a libgcrypt patch:
-
- http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=6e1adb05d290aeeb1c230c763970695f4a538526
-
-Fixes: cdec9cb5167a ("crypto: GnuPG based MPI lib - source files (part 1)")
-Signed-off-by: Andrey Ryabinin <aryabinin at virtuozzo.com>
-Signed-off-by: David Howells <dhowells at redhat.com>
-cc: Dmitry Kasatkin <dmitry.kasatkin at gmail.com>
-cc: linux-ima-devel at lists.sourceforge.net
-cc: stable at vger.kernel.org
-Signed-off-by: James Morris <james.l.morris at oracle.com>
----
- lib/mpi/mpi-pow.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
---- a/lib/mpi/mpi-pow.c
-+++ b/lib/mpi/mpi-pow.c
-@@ -64,8 +64,13 @@ int mpi_powm(MPI res, MPI base, MPI exp,
- if (!esize) {
- /* Exponent is zero, result is 1 mod MOD, i.e., 1 or 0
- * depending on if MOD equals 1. */
-- rp[0] = 1;
- res->nlimbs = (msize == 1 && mod->d[0] == 1) ? 0 : 1;
-+ if (res->nlimbs) {
-+ if (mpi_resize(res, 1) < 0)
-+ goto enomem;
-+ rp = res->d;
-+ rp[0] = 1;
-+ }
- res->sign = 0;
- goto leave;
- }
diff --git a/debian/patches/bugfix/all/net-avoid-signed-overflows-for-so_-snd-rcv-bufforce.patch b/debian/patches/bugfix/all/net-avoid-signed-overflows-for-so_-snd-rcv-bufforce.patch
deleted file mode 100644
index d009c20..0000000
--- a/debian/patches/bugfix/all/net-avoid-signed-overflows-for-so_-snd-rcv-bufforce.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Fri, 2 Dec 2016 09:44:53 -0800
-Subject: net: avoid signed overflows for SO_{SND|RCV}BUFFORCE
-Origin: https://git.kernel.org/linus/b98b0bc8c431e3ceb4b26b0dfc8db509518fb290
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-9793
-
-CAP_NET_ADMIN users should not be allowed to set negative
-sk_sndbuf or sk_rcvbuf values, as it can lead to various memory
-corruptions, crashes, OOM...
-
-Note that before commit 82981930125a ("net: cleanups in
-sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF
-and SO_RCVBUF were vulnerable.
-
-This needs to be backported to all known linux kernels.
-
-Again, many thanks to syzkaller team for discovering this gem.
-
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/core/sock.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/net/core/sock.c
-+++ b/net/core/sock.c
-@@ -741,7 +741,7 @@ int sock_setsockopt(struct socket *sock,
- val = min_t(u32, val, sysctl_wmem_max);
- set_sndbuf:
- sk->sk_userlocks |= SOCK_SNDBUF_LOCK;
-- sk->sk_sndbuf = max_t(u32, val * 2, SOCK_MIN_SNDBUF);
-+ sk->sk_sndbuf = max_t(int, val * 2, SOCK_MIN_SNDBUF);
- /* Wake up sending tasks if we upped the value. */
- sk->sk_write_space(sk);
- break;
-@@ -777,7 +777,7 @@ set_rcvbuf:
- * returning the value we actually used in getsockopt
- * is the most desirable behavior.
- */
-- sk->sk_rcvbuf = max_t(u32, val * 2, SOCK_MIN_RCVBUF);
-+ sk->sk_rcvbuf = max_t(int, val * 2, SOCK_MIN_RCVBUF);
- break;
-
- case SO_RCVBUFFORCE:
diff --git a/debian/patches/bugfix/all/net-llc-avoid-BUG_ON-in-skb_orphan.patch b/debian/patches/bugfix/all/net-llc-avoid-BUG_ON-in-skb_orphan.patch
deleted file mode 100644
index 090fc50..0000000
--- a/debian/patches/bugfix/all/net-llc-avoid-BUG_ON-in-skb_orphan.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Sun, 12 Feb 2017 14:03:52 -0800
-Subject: net/llc: avoid BUG_ON() in skb_orphan()
-Origin: https://git.kernel.org/linus/8b74d439e1697110c5e5c600643e823eb1dd0762
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-6345
-
-It seems nobody used LLC since linux-3.12.
-
-Fortunately fuzzers like syzkaller still know how to run this code,
-otherwise it would be no fun.
-
-Setting skb->sk without skb->destructor leads to all kinds of
-bugs, we now prefer to be very strict about it.
-
-Ideally here we would use skb_set_owner() but this helper does not exist yet,
-only CAN seems to have a private helper for that.
-
-Fixes: 376c7311bdb6 ("net: add a temporary sanity check in skb_orphan()")
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/llc/llc_conn.c | 3 +++
- net/llc/llc_sap.c | 3 +++
- 2 files changed, 6 insertions(+)
-
-diff --git a/net/llc/llc_conn.c b/net/llc/llc_conn.c
-index 3e821da..8bc5a1b 100644
---- a/net/llc/llc_conn.c
-+++ b/net/llc/llc_conn.c
-@@ -821,7 +821,10 @@ void llc_conn_handler(struct llc_sap *sap, struct sk_buff *skb)
- * another trick required to cope with how the PROCOM state
- * machine works. -acme
- */
-+ skb_orphan(skb);
-+ sock_hold(sk);
- skb->sk = sk;
-+ skb->destructor = sock_efree;
- }
- if (!sock_owned_by_user(sk))
- llc_conn_rcv(sk, skb);
-diff --git a/net/llc/llc_sap.c b/net/llc/llc_sap.c
-index d0e1e80..5404d0d 100644
---- a/net/llc/llc_sap.c
-+++ b/net/llc/llc_sap.c
-@@ -290,7 +290,10 @@ static void llc_sap_rcv(struct llc_sap *sap, struct sk_buff *skb,
-
- ev->type = LLC_SAP_EV_TYPE_PDU;
- ev->reason = 0;
-+ skb_orphan(skb);
-+ sock_hold(sk);
- skb->sk = sk;
-+ skb->destructor = sock_efree;
- llc_sap_state_process(sap, skb);
- }
-
---
-2.1.4
-
diff --git a/debian/patches/bugfix/all/net-ping-check-minimum-size-on-icmp-header-length.patch b/debian/patches/bugfix/all/net-ping-check-minimum-size-on-icmp-header-length.patch
deleted file mode 100644
index fd57fcd..0000000
--- a/debian/patches/bugfix/all/net-ping-check-minimum-size-on-icmp-header-length.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From: Kees Cook <keescook at chromium.org>
-Date: Mon, 5 Dec 2016 10:34:38 -0800
-Subject: net: ping: check minimum size on ICMP header length
-Origin: https://git.kernel.org/linus/0eab121ef8750a5c8637d51534d5e9143fb0633f
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-8399
-
-Prior to commit c0371da6047a ("put iov_iter into msghdr") in v3.19, there
-was no check that the iovec contained enough bytes for an ICMP header,
-and the read loop would walk across neighboring stack contents. Since the
-iov_iter conversion, bad arguments are noticed, but the returned error is
-EFAULT. Returning EINVAL is a clearer error and also solves the problem
-prior to v3.19.
-
-This was found using trinity with KASAN on v3.18:
-
-BUG: KASAN: stack-out-of-bounds in memcpy_fromiovec+0x60/0x114 at addr ffffffc071077da0
-Read of size 8 by task trinity-c2/9623
-page:ffffffbe034b9a08 count:0 mapcount:0 mapping: (null) index:0x0
-flags: 0x0()
-page dumped because: kasan: bad access detected
-CPU: 0 PID: 9623 Comm: trinity-c2 Tainted: G BU 3.18.0-dirty #15
-Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
-Call trace:
-[<ffffffc000209c98>] dump_backtrace+0x0/0x1ac arch/arm64/kernel/traps.c:90
-[<ffffffc000209e54>] show_stack+0x10/0x1c arch/arm64/kernel/traps.c:171
-[< inline >] __dump_stack lib/dump_stack.c:15
-[<ffffffc000f18dc4>] dump_stack+0x7c/0xd0 lib/dump_stack.c:50
-[< inline >] print_address_description mm/kasan/report.c:147
-[< inline >] kasan_report_error mm/kasan/report.c:236
-[<ffffffc000373dcc>] kasan_report+0x380/0x4b8 mm/kasan/report.c:259
-[< inline >] check_memory_region mm/kasan/kasan.c:264
-[<ffffffc00037352c>] __asan_load8+0x20/0x70 mm/kasan/kasan.c:507
-[<ffffffc0005b9624>] memcpy_fromiovec+0x5c/0x114 lib/iovec.c:15
-[< inline >] memcpy_from_msg include/linux/skbuff.h:2667
-[<ffffffc000ddeba0>] ping_common_sendmsg+0x50/0x108 net/ipv4/ping.c:674
-[<ffffffc000dded30>] ping_v4_sendmsg+0xd8/0x698 net/ipv4/ping.c:714
-[<ffffffc000dc91dc>] inet_sendmsg+0xe0/0x12c net/ipv4/af_inet.c:749
-[< inline >] __sock_sendmsg_nosec net/socket.c:624
-[< inline >] __sock_sendmsg net/socket.c:632
-[<ffffffc000cab61c>] sock_sendmsg+0x124/0x164 net/socket.c:643
-[< inline >] SYSC_sendto net/socket.c:1797
-[<ffffffc000cad270>] SyS_sendto+0x178/0x1d8 net/socket.c:1761
-
-CVE-2016-8399
-
-Reported-by: Qidan He <i at flanker017.me>
-Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
-Cc: stable at vger.kernel.org
-Signed-off-by: Kees Cook <keescook at chromium.org>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/ipv4/ping.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
---- a/net/ipv4/ping.c
-+++ b/net/ipv4/ping.c
-@@ -661,6 +661,10 @@ int ping_common_sendmsg(int family, stru
- if (len > 0xFFFF)
- return -EMSGSIZE;
-
-+ /* Must have at least a full ICMP header. */
-+ if (len < icmph_len)
-+ return -EINVAL;
-+
- /*
- * Check the flags.
- */
diff --git a/debian/patches/bugfix/all/net-sock-add-sock_efree.patch b/debian/patches/bugfix/all/net-sock-add-sock_efree.patch
deleted file mode 100644
index e239e14..0000000
--- a/debian/patches/bugfix/all/net-sock-add-sock_efree.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From: Ben Hutchings <ben at decadent.org.uk>
-Subject: net/sock: Add sock_efree() function
-Date: Fri, 03 Mar 2017 02:32:07 +0000
-
-Extracted from commit 62bccb8cdb69 ("net-timestamp: Make the clone operation
-stand-alone from phy timestamping").
-
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
---- a/include/net/sock.h
-+++ b/include/net/sock.h
-@@ -1569,6 +1569,7 @@ struct sk_buff *sock_wmalloc(struct sock
- void sock_wfree(struct sk_buff *skb);
- void skb_orphan_partial(struct sk_buff *skb);
- void sock_rfree(struct sk_buff *skb);
-+void sock_efree(struct sk_buff *skb);
- void sock_edemux(struct sk_buff *skb);
-
- int sock_setsockopt(struct socket *sock, int level, int op,
---- a/net/core/sock.c
-+++ b/net/core/sock.c
-@@ -1678,6 +1678,12 @@ void sock_rfree(struct sk_buff *skb)
- }
- EXPORT_SYMBOL(sock_rfree);
-
-+void sock_efree(struct sk_buff *skb)
-+{
-+ sock_put(skb->sk);
-+}
-+EXPORT_SYMBOL(sock_efree);
-+
- void sock_edemux(struct sk_buff *skb)
- {
- struct sock *sk = skb->sk;
diff --git a/debian/patches/bugfix/all/netfilter-nfnetlink-correctly-validate-length-of-bat.patch b/debian/patches/bugfix/all/netfilter-nfnetlink-correctly-validate-length-of-bat.patch
deleted file mode 100644
index a71eb10..0000000
--- a/debian/patches/bugfix/all/netfilter-nfnetlink-correctly-validate-length-of-bat.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From: Phil Turnbull <phil.turnbull at oracle.com>
-Date: Tue, 2 Feb 2016 13:36:45 -0500
-Subject: netfilter: nfnetlink: correctly validate length of batch messages
-Origin: https://git.kernel.org/linus/c58d6c93680f28ac58984af61d0a7ebf4319c241
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-7917
-
-If nlh->nlmsg_len is zero then an infinite loop is triggered because
-'skb_pull(skb, msglen);' pulls zero bytes.
-
-The calculation in nlmsg_len() underflows if 'nlh->nlmsg_len <
-NLMSG_HDRLEN' which bypasses the length validation and will later
-trigger an out-of-bound read.
-
-If the length validation does fail then the malformed batch message is
-copied back to userspace. However, we cannot do this because the
-nlh->nlmsg_len can be invalid. This leads to an out-of-bounds read in
-netlink_ack:
-
- [ 41.455421] ==================================================================
- [ 41.456431] BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 at addr ffff880119e79340
- [ 41.456431] Read of size 4294967280 by task a.out/987
- [ 41.456431] =============================================================================
- [ 41.456431] BUG kmalloc-512 (Not tainted): kasan: bad access detected
- [ 41.456431] -----------------------------------------------------------------------------
- ...
- [ 41.456431] Bytes b4 ffff880119e79310: 00 00 00 00 d5 03 00 00 b0 fb fe ff 00 00 00 00 ................
- [ 41.456431] Object ffff880119e79320: 20 00 00 00 10 00 05 00 00 00 00 00 00 00 00 00 ...............
- [ 41.456431] Object ffff880119e79330: 14 00 0a 00 01 03 fc 40 45 56 11 22 33 10 00 05 ....... at EV."3...
- [ 41.456431] Object ffff880119e79340: f0 ff ff ff 88 99 aa bb 00 14 00 0a 00 06 fe fb ................
- ^^ start of batch nlmsg with
- nlmsg_len=4294967280
- ...
- [ 41.456431] Memory state around the buggy address:
- [ 41.456431] ffff880119e79400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- [ 41.456431] ffff880119e79480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- [ 41.456431] >ffff880119e79500: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
- [ 41.456431] ^
- [ 41.456431] ffff880119e79580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
- [ 41.456431] ffff880119e79600: fc fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb
- [ 41.456431] ==================================================================
-
-Fix this with better validation of nlh->nlmsg_len and by setting
-NFNL_BATCH_FAILURE if any batch message fails length validation.
-
-CAP_NET_ADMIN is required to trigger the bugs.
-
-Fixes: 9ea2aa8b7dba ("netfilter: nfnetlink: validate nfnetlink header from batch")
-Signed-off-by: Phil Turnbull <phil.turnbull at oracle.com>
-Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
-[bwh: Backported to 3.16:
- - We don't have an error list so don't call nfnl_err_reset()
- - Set 'success' variable instead of 'status']
----
---- a/net/netfilter/nfnetlink.c
-+++ b/net/netfilter/nfnetlink.c
-@@ -273,10 +273,11 @@ replay:
- nlh = nlmsg_hdr(skb);
- err = 0;
-
-- if (nlmsg_len(nlh) < sizeof(struct nfgenmsg) ||
-- skb->len < nlh->nlmsg_len) {
-- err = -EINVAL;
-- goto ack;
-+ if (nlh->nlmsg_len < NLMSG_HDRLEN ||
-+ skb->len < nlh->nlmsg_len ||
-+ nlmsg_len(nlh) < sizeof(struct nfgenmsg)) {
-+ success = false;
-+ goto done;
- }
-
- /* Only requests are handled by the kernel */
diff --git a/debian/patches/bugfix/all/packet-fix-race-condition-in-packet_set_ring.patch b/debian/patches/bugfix/all/packet-fix-race-condition-in-packet_set_ring.patch
deleted file mode 100644
index 775a218..0000000
--- a/debian/patches/bugfix/all/packet-fix-race-condition-in-packet_set_ring.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From: Philip Pettersson <philip.pettersson at gmail.com>
-Date: Wed, 30 Nov 2016 14:55:36 -0800
-Subject: packet: fix race condition in packet_set_ring
-Origin: https://git.kernel.org/linus/84ac7260236a49c79eede91617700174c2c19b0c
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-8655
-
-When packet_set_ring creates a ring buffer it will initialize a
-struct timer_list if the packet version is TPACKET_V3. This value
-can then be raced by a different thread calling setsockopt to
-set the version to TPACKET_V1 before packet_set_ring has finished.
-
-This leads to a use-after-free on a function pointer in the
-struct timer_list when the socket is closed as the previously
-initialized timer will not be deleted.
-
-The bug is fixed by taking lock_sock(sk) in packet_setsockopt when
-changing the packet version while also taking the lock at the start
-of packet_set_ring.
-
-Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
-Signed-off-by: Philip Pettersson <philip.pettersson at gmail.com>
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/packet/af_packet.c | 18 ++++++++++++------
- 1 file changed, 12 insertions(+), 6 deletions(-)
-
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -3293,19 +3293,25 @@ packet_setsockopt(struct socket *sock, i
-
- if (optlen != sizeof(val))
- return -EINVAL;
-- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
-- return -EBUSY;
- if (copy_from_user(&val, optval, sizeof(val)))
- return -EFAULT;
- switch (val) {
- case TPACKET_V1:
- case TPACKET_V2:
- case TPACKET_V3:
-- po->tp_version = val;
-- return 0;
-+ break;
- default:
- return -EINVAL;
- }
-+ lock_sock(sk);
-+ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
-+ ret = -EBUSY;
-+ } else {
-+ po->tp_version = val;
-+ ret = 0;
-+ }
-+ release_sock(sk);
-+ return ret;
- }
- case PACKET_RESERVE:
- {
-@@ -3768,6 +3774,7 @@ static int packet_set_ring(struct sock *
- /* Added to avoid minimal code churn */
- struct tpacket_req *req = &req_u->req;
-
-+ lock_sock(sk);
- /* Opening a Tx-ring is NOT supported in TPACKET_V3 */
- if (!closing && tx_ring && (po->tp_version > TPACKET_V2)) {
- WARN(1, "Tx-ring is not supported.\n");
-@@ -3849,7 +3856,6 @@ static int packet_set_ring(struct sock *
- goto out;
- }
-
-- lock_sock(sk);
-
- /* Detach socket from network */
- spin_lock(&po->bind_lock);
-@@ -3898,11 +3904,11 @@ static int packet_set_ring(struct sock *
- if (!tx_ring)
- prb_shutdown_retire_blk_timer(po, tx_ring, rb_queue);
- }
-- release_sock(sk);
-
- if (pg_vec)
- free_pg_vec(pg_vec, order, req->tp_block_nr);
- out:
-+ release_sock(sk);
- return err;
- }
-
diff --git a/debian/patches/bugfix/all/packet-fix-races-in-fanout_add.patch b/debian/patches/bugfix/all/packet-fix-races-in-fanout_add.patch
deleted file mode 100644
index 864625c..0000000
--- a/debian/patches/bugfix/all/packet-fix-races-in-fanout_add.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Tue, 14 Feb 2017 09:03:51 -0800
-Subject: packet: fix races in fanout_add()
-Origin: https://git.kernel.org/linus/d199fab63c11998a602205f7ee7ff7c05c97164b
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-6346
-
-Multiple threads can call fanout_add() at the same time.
-
-We need to grab fanout_mutex earlier to avoid races that could
-lead to one thread freeing po->rollover that was set by another thread.
-
-Do the same in fanout_release(), for peace of mind, and to help us
-finding lockdep issues earlier.
-
-Fixes: dc99f600698d ("packet: Add fanout support.")
-Fixes: 0648ab70afe6 ("packet: rollover prepare: per-socket state")
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Cc: Willem de Bruijn <willemb at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.16:
- - No rollover queue stats
- - Adjust context]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -1451,13 +1451,16 @@ static int fanout_add(struct sock *sk, u
- return -EINVAL;
- }
-
-+ mutex_lock(&fanout_mutex);
-+
-+ err = -EINVAL;
- if (!po->running)
-- return -EINVAL;
-+ goto out;
-
-+ err = -EALREADY;
- if (po->fanout)
-- return -EALREADY;
-+ goto out;
-
-- mutex_lock(&fanout_mutex);
- match = NULL;
- list_for_each_entry(f, &fanout_list, list) {
- if (f->id == id &&
-@@ -1513,17 +1516,16 @@ static void fanout_release(struct sock *
- struct packet_sock *po = pkt_sk(sk);
- struct packet_fanout *f;
-
-- f = po->fanout;
-- if (!f)
-- return;
--
- mutex_lock(&fanout_mutex);
-- po->fanout = NULL;
-+ f = po->fanout;
-+ if (f) {
-+ po->fanout = NULL;
-
-- if (atomic_dec_and_test(&f->sk_ref)) {
-- list_del(&f->list);
-- dev_remove_pack(&f->prot_hook);
-- kfree(f);
-+ if (atomic_dec_and_test(&f->sk_ref)) {
-+ list_del(&f->list);
-+ dev_remove_pack(&f->prot_hook);
-+ kfree(f);
-+ }
- }
- mutex_unlock(&fanout_mutex);
- }
diff --git a/debian/patches/bugfix/all/perf-Fix-event-ctx-locking.patch b/debian/patches/bugfix/all/perf-Fix-event-ctx-locking.patch
deleted file mode 100644
index d1e342f..0000000
--- a/debian/patches/bugfix/all/perf-Fix-event-ctx-locking.patch
+++ /dev/null
@@ -1,501 +0,0 @@
-From: Peter Zijlstra <peterz at infradead.org>
-Date: Fri, 23 Jan 2015 12:24:14 +0100
-Subject: perf: Fix event->ctx locking
-Origin: https://git.kernel.org/linus/f63a8daa5812afef4f06c962351687e1ff9ccb2b
-
-There have been a few reported issues wrt. the lack of locking around
-changing event->ctx. This patch tries to address those.
-
-It avoids the whole rwsem thing; and while it appears to work, please
-give it some thought in review.
-
-What I did fail at is sensible runtime checks on the use of
-event->ctx, the RCU use makes it very hard.
-
-Signed-off-by: Peter Zijlstra (Intel) <peterz at infradead.org>
-Cc: Paul E. McKenney <paulmck at linux.vnet.ibm.com>
-Cc: Jiri Olsa <jolsa at redhat.com>
-Cc: Arnaldo Carvalho de Melo <acme at kernel.org>
-Cc: Linus Torvalds <torvalds at linux-foundation.org>
-Link: http://lkml.kernel.org/r/20150123125834.209535886@infradead.org
-Signed-off-by: Ingo Molnar <mingo at kernel.org>
-[carnil: backport to 3.16, adjust context for 3.16]
----
- kernel/events/core.c | 244 +++++++++++++++++++++++++++++++++++++++++++--------
- 1 file changed, 207 insertions(+), 37 deletions(-)
-
---- a/kernel/events/core.c
-+++ b/kernel/events/core.c
-@@ -908,6 +908,77 @@ static void put_ctx(struct perf_event_co
- }
-
- /*
-+ * Because of perf_event::ctx migration in sys_perf_event_open::move_group and
-+ * perf_pmu_migrate_context() we need some magic.
-+ *
-+ * Those places that change perf_event::ctx will hold both
-+ * perf_event_ctx::mutex of the 'old' and 'new' ctx value.
-+ *
-+ * Lock ordering is by mutex address. There is one other site where
-+ * perf_event_context::mutex nests and that is put_event(). But remember that
-+ * that is a parent<->child context relation, and migration does not affect
-+ * children, therefore these two orderings should not interact.
-+ *
-+ * The change in perf_event::ctx does not affect children (as claimed above)
-+ * because the sys_perf_event_open() case will install a new event and break
-+ * the ctx parent<->child relation, and perf_pmu_migrate_context() is only
-+ * concerned with cpuctx and that doesn't have children.
-+ *
-+ * The places that change perf_event::ctx will issue:
-+ *
-+ * perf_remove_from_context();
-+ * synchronize_rcu();
-+ * perf_install_in_context();
-+ *
-+ * to affect the change. The remove_from_context() + synchronize_rcu() should
-+ * quiesce the event, after which we can install it in the new location. This
-+ * means that only external vectors (perf_fops, prctl) can perturb the event
-+ * while in transit. Therefore all such accessors should also acquire
-+ * perf_event_context::mutex to serialize against this.
-+ *
-+ * However; because event->ctx can change while we're waiting to acquire
-+ * ctx->mutex we must be careful and use the below perf_event_ctx_lock()
-+ * function.
-+ *
-+ * Lock order:
-+ * task_struct::perf_event_mutex
-+ * perf_event_context::mutex
-+ * perf_event_context::lock
-+ * perf_event::child_mutex;
-+ * perf_event::mmap_mutex
-+ * mmap_sem
-+ */
-+static struct perf_event_context *perf_event_ctx_lock(struct perf_event *event)
-+{
-+ struct perf_event_context *ctx;
-+
-+again:
-+ rcu_read_lock();
-+ ctx = ACCESS_ONCE(event->ctx);
-+ if (!atomic_inc_not_zero(&ctx->refcount)) {
-+ rcu_read_unlock();
-+ goto again;
-+ }
-+ rcu_read_unlock();
-+
-+ mutex_lock(&ctx->mutex);
-+ if (event->ctx != ctx) {
-+ mutex_unlock(&ctx->mutex);
-+ put_ctx(ctx);
-+ goto again;
-+ }
-+
-+ return ctx;
-+}
-+
-+static void perf_event_ctx_unlock(struct perf_event *event,
-+ struct perf_event_context *ctx)
-+{
-+ mutex_unlock(&ctx->mutex);
-+ put_ctx(ctx);
-+}
-+
-+/*
- * This must be done under the ctx->lock, such as to serialize against
- * context_equiv(), therefore we cannot call put_ctx() since that might end up
- * calling scheduler related locks and ctx->lock nests inside those.
-@@ -1611,7 +1682,7 @@ int __perf_event_disable(void *info)
- * is the current context on this CPU and preemption is disabled,
- * hence we can't get into perf_event_task_sched_out for this context.
- */
--void perf_event_disable(struct perf_event *event)
-+static void _perf_event_disable(struct perf_event *event)
- {
- struct perf_event_context *ctx = event->ctx;
- struct task_struct *task = ctx->task;
-@@ -1652,6 +1723,19 @@ retry:
- }
- raw_spin_unlock_irq(&ctx->lock);
- }
-+
-+/*
-+ * Strictly speaking kernel users cannot create groups and therefore this
-+ * interface does not need the perf_event_ctx_lock() magic.
-+ */
-+void perf_event_disable(struct perf_event *event)
-+{
-+ struct perf_event_context *ctx;
-+
-+ ctx = perf_event_ctx_lock(event);
-+ _perf_event_disable(event);
-+ perf_event_ctx_unlock(event, ctx);
-+}
- EXPORT_SYMBOL_GPL(perf_event_disable);
-
- static void perf_set_shadow_time(struct perf_event *event,
-@@ -2112,7 +2196,7 @@ unlock:
- * perf_event_for_each_child or perf_event_for_each as described
- * for perf_event_disable.
- */
--void perf_event_enable(struct perf_event *event)
-+static void _perf_event_enable(struct perf_event *event)
- {
- struct perf_event_context *ctx = event->ctx;
- struct task_struct *task = ctx->task;
-@@ -2168,9 +2252,21 @@ retry:
- out:
- raw_spin_unlock_irq(&ctx->lock);
- }
-+
-+/*
-+ * See perf_event_disable();
-+ */
-+void perf_event_enable(struct perf_event *event)
-+{
-+ struct perf_event_context *ctx;
-+
-+ ctx = perf_event_ctx_lock(event);
-+ _perf_event_enable(event);
-+ perf_event_ctx_unlock(event, ctx);
-+}
- EXPORT_SYMBOL_GPL(perf_event_enable);
-
--int perf_event_refresh(struct perf_event *event, int refresh)
-+static int _perf_event_refresh(struct perf_event *event, int refresh)
- {
- /*
- * not supported on inherited events
-@@ -2179,10 +2275,25 @@ int perf_event_refresh(struct perf_event
- return -EINVAL;
-
- atomic_add(refresh, &event->event_limit);
-- perf_event_enable(event);
-+ _perf_event_enable(event);
-
- return 0;
- }
-+
-+/*
-+ * See perf_event_disable()
-+ */
-+int perf_event_refresh(struct perf_event *event, int refresh)
-+{
-+ struct perf_event_context *ctx;
-+ int ret;
-+
-+ ctx = perf_event_ctx_lock(event);
-+ ret = _perf_event_refresh(event, refresh);
-+ perf_event_ctx_unlock(event, ctx);
-+
-+ return ret;
-+}
- EXPORT_SYMBOL_GPL(perf_event_refresh);
-
- static void ctx_sched_out(struct perf_event_context *ctx,
-@@ -3378,7 +3489,16 @@ static void put_event(struct perf_event
- rcu_read_unlock();
-
- if (owner) {
-- mutex_lock(&owner->perf_event_mutex);
-+ /*
-+ * If we're here through perf_event_exit_task() we're already
-+ * holding ctx->mutex which would be an inversion wrt. the
-+ * normal lock order.
-+ *
-+ * However we can safely take this lock because its the child
-+ * ctx->mutex.
-+ */
-+ mutex_lock_nested(&owner->perf_event_mutex, SINGLE_DEPTH_NESTING);
-+
- /*
- * We have to re-check the event->owner field, if it is cleared
- * we raced with perf_event_exit_task(), acquiring the mutex
-@@ -3454,12 +3574,13 @@ static int perf_event_read_group(struct
- u64 read_format, char __user *buf)
- {
- struct perf_event *leader = event->group_leader, *sub;
-- int n = 0, size = 0, ret = -EFAULT;
- struct perf_event_context *ctx = leader->ctx;
-- u64 values[5];
-+ int n = 0, size = 0, ret;
- u64 count, enabled, running;
-+ u64 values[5];
-+
-+ lockdep_assert_held(&ctx->mutex);
-
-- mutex_lock(&ctx->mutex);
- count = perf_event_read_value(leader, &enabled, &running);
-
- values[n++] = 1 + leader->nr_siblings;
-@@ -3474,7 +3595,7 @@ static int perf_event_read_group(struct
- size = n * sizeof(u64);
-
- if (copy_to_user(buf, values, size))
-- goto unlock;
-+ return -EFAULT;
-
- ret = size;
-
-@@ -3488,14 +3609,11 @@ static int perf_event_read_group(struct
- size = n * sizeof(u64);
-
- if (copy_to_user(buf + ret, values, size)) {
-- ret = -EFAULT;
-- goto unlock;
-+ return -EFAULT;
- }
-
- ret += size;
- }
--unlock:
-- mutex_unlock(&ctx->mutex);
-
- return ret;
- }
-@@ -3554,8 +3672,14 @@ static ssize_t
- perf_read(struct file *file, char __user *buf, size_t count, loff_t *ppos)
- {
- struct perf_event *event = file->private_data;
-+ struct perf_event_context *ctx;
-+ int ret;
-
-- return perf_read_hw(event, buf, count);
-+ ctx = perf_event_ctx_lock(event);
-+ ret = perf_read_hw(event, buf, count);
-+ perf_event_ctx_unlock(event, ctx);
-+
-+ return ret;
- }
-
- static unsigned int perf_poll(struct file *file, poll_table *wait)
-@@ -3579,7 +3703,7 @@ static unsigned int perf_poll(struct fil
- return events;
- }
-
--static void perf_event_reset(struct perf_event *event)
-+static void _perf_event_reset(struct perf_event *event)
- {
- (void)perf_event_read(event);
- local64_set(&event->count, 0);
-@@ -3598,6 +3722,7 @@ static void perf_event_for_each_child(st
- struct perf_event *child;
-
- WARN_ON_ONCE(event->ctx->parent_ctx);
-+
- mutex_lock(&event->child_mutex);
- func(event);
- list_for_each_entry(child, &event->child_list, child_list)
-@@ -3611,14 +3736,13 @@ static void perf_event_for_each(struct p
- struct perf_event_context *ctx = event->ctx;
- struct perf_event *sibling;
-
-- WARN_ON_ONCE(ctx->parent_ctx);
-- mutex_lock(&ctx->mutex);
-+ lockdep_assert_held(&ctx->mutex);
-+
- event = event->group_leader;
-
- perf_event_for_each_child(event, func);
- list_for_each_entry(sibling, &event->sibling_list, group_entry)
- perf_event_for_each_child(sibling, func);
-- mutex_unlock(&ctx->mutex);
- }
-
- struct period_event {
-@@ -3730,25 +3854,24 @@ static int perf_event_set_output(struct
- struct perf_event *output_event);
- static int perf_event_set_filter(struct perf_event *event, void __user *arg);
-
--static long perf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
-+static long _perf_ioctl(struct perf_event *event, unsigned int cmd, unsigned long arg)
- {
-- struct perf_event *event = file->private_data;
- void (*func)(struct perf_event *);
- u32 flags = arg;
-
- switch (cmd) {
- case PERF_EVENT_IOC_ENABLE:
-- func = perf_event_enable;
-+ func = _perf_event_enable;
- break;
- case PERF_EVENT_IOC_DISABLE:
-- func = perf_event_disable;
-+ func = _perf_event_disable;
- break;
- case PERF_EVENT_IOC_RESET:
-- func = perf_event_reset;
-+ func = _perf_event_reset;
- break;
-
- case PERF_EVENT_IOC_REFRESH:
-- return perf_event_refresh(event, arg);
-+ return _perf_event_refresh(event, arg);
-
- case PERF_EVENT_IOC_PERIOD:
- return perf_event_period(event, (u64 __user *)arg);
-@@ -3795,6 +3918,19 @@ static long perf_ioctl(struct file *file
- return 0;
- }
-
-+static long perf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
-+{
-+ struct perf_event *event = file->private_data;
-+ struct perf_event_context *ctx;
-+ long ret;
-+
-+ ctx = perf_event_ctx_lock(event);
-+ ret = _perf_ioctl(event, cmd, arg);
-+ perf_event_ctx_unlock(event, ctx);
-+
-+ return ret;
-+}
-+
- #ifdef CONFIG_COMPAT
- static long perf_compat_ioctl(struct file *file, unsigned int cmd,
- unsigned long arg)
-@@ -3817,11 +3953,15 @@ static long perf_compat_ioctl(struct fil
-
- int perf_event_task_enable(void)
- {
-+ struct perf_event_context *ctx;
- struct perf_event *event;
-
- mutex_lock(¤t->perf_event_mutex);
-- list_for_each_entry(event, ¤t->perf_event_list, owner_entry)
-- perf_event_for_each_child(event, perf_event_enable);
-+ list_for_each_entry(event, ¤t->perf_event_list, owner_entry) {
-+ ctx = perf_event_ctx_lock(event);
-+ perf_event_for_each_child(event, _perf_event_enable);
-+ perf_event_ctx_unlock(event, ctx);
-+ }
- mutex_unlock(¤t->perf_event_mutex);
-
- return 0;
-@@ -3829,11 +3969,15 @@ int perf_event_task_enable(void)
-
- int perf_event_task_disable(void)
- {
-+ struct perf_event_context *ctx;
- struct perf_event *event;
-
- mutex_lock(¤t->perf_event_mutex);
-- list_for_each_entry(event, ¤t->perf_event_list, owner_entry)
-- perf_event_for_each_child(event, perf_event_disable);
-+ list_for_each_entry(event, ¤t->perf_event_list, owner_entry) {
-+ ctx = perf_event_ctx_lock(event);
-+ perf_event_for_each_child(event, _perf_event_disable);
-+ perf_event_ctx_unlock(event, ctx);
-+ }
- mutex_unlock(¤t->perf_event_mutex);
-
- return 0;
-@@ -7163,6 +7307,15 @@ out:
- return ret;
- }
-
-+static void mutex_lock_double(struct mutex *a, struct mutex *b)
-+{
-+ if (b < a)
-+ swap(a, b);
-+
-+ mutex_lock(a);
-+ mutex_lock_nested(b, SINGLE_DEPTH_NESTING);
-+}
-+
- /**
- * sys_perf_event_open - open a performance event, associate it to a task/cpu
- *
-@@ -7178,7 +7331,7 @@ SYSCALL_DEFINE5(perf_event_open,
- struct perf_event *group_leader = NULL, *output_event = NULL;
- struct perf_event *event, *sibling;
- struct perf_event_attr attr;
-- struct perf_event_context *ctx;
-+ struct perf_event_context *ctx, *uninitialized_var(gctx);
- struct file *event_file = NULL;
- struct fd group = {NULL, 0};
- struct task_struct *task = NULL;
-@@ -7377,9 +7530,14 @@ SYSCALL_DEFINE5(perf_event_open,
- }
-
- if (move_group) {
-- struct perf_event_context *gctx = group_leader->ctx;
-+ gctx = group_leader->ctx;
-+
-+ /*
-+ * See perf_event_ctx_lock() for comments on the details
-+ * of swizzling perf_event::ctx.
-+ */
-+ mutex_lock_double(&gctx->mutex, &ctx->mutex);
-
-- mutex_lock(&gctx->mutex);
- perf_remove_from_context(group_leader, false);
-
- /*
-@@ -7394,15 +7552,19 @@ SYSCALL_DEFINE5(perf_event_open,
- perf_event__state_init(sibling);
- put_ctx(gctx);
- }
-- mutex_unlock(&gctx->mutex);
-- put_ctx(gctx);
-+ } else {
-+ mutex_lock(&ctx->mutex);
- }
-
- WARN_ON_ONCE(ctx->parent_ctx);
-- mutex_lock(&ctx->mutex);
-
- if (move_group) {
-+ /*
-+ * Wait for everybody to stop referencing the events through
-+ * the old lists, before installing it on new lists.
-+ */
- synchronize_rcu();
-+
- perf_install_in_context(ctx, group_leader, group_leader->cpu);
- get_ctx(ctx);
- list_for_each_entry(sibling, &group_leader->sibling_list,
-@@ -7414,6 +7576,11 @@ SYSCALL_DEFINE5(perf_event_open,
-
- perf_install_in_context(ctx, event, event->cpu);
- perf_unpin_context(ctx);
-+
-+ if (move_group) {
-+ mutex_unlock(&gctx->mutex);
-+ put_ctx(gctx);
-+ }
- mutex_unlock(&ctx->mutex);
-
- put_online_cpus();
-@@ -7516,7 +7683,11 @@ void perf_pmu_migrate_context(struct pmu
- src_ctx = &per_cpu_ptr(pmu->pmu_cpu_context, src_cpu)->ctx;
- dst_ctx = &per_cpu_ptr(pmu->pmu_cpu_context, dst_cpu)->ctx;
-
-- mutex_lock(&src_ctx->mutex);
-+ /*
-+ * See perf_event_ctx_lock() for comments on the details
-+ * of swizzling perf_event::ctx.
-+ */
-+ mutex_lock_double(&src_ctx->mutex, &dst_ctx->mutex);
- list_for_each_entry_safe(event, tmp, &src_ctx->event_list,
- event_entry) {
- perf_remove_from_context(event, false);
-@@ -7524,11 +7695,9 @@ void perf_pmu_migrate_context(struct pmu
- put_ctx(src_ctx);
- list_add(&event->migrate_entry, &events);
- }
-- mutex_unlock(&src_ctx->mutex);
-
- synchronize_rcu();
-
-- mutex_lock(&dst_ctx->mutex);
- list_for_each_entry_safe(event, tmp, &events, migrate_entry) {
- list_del(&event->migrate_entry);
- if (event->state >= PERF_EVENT_STATE_OFF)
-@@ -7538,6 +7707,7 @@ void perf_pmu_migrate_context(struct pmu
- get_ctx(dst_ctx);
- }
- mutex_unlock(&dst_ctx->mutex);
-+ mutex_unlock(&src_ctx->mutex);
- }
- EXPORT_SYMBOL_GPL(perf_pmu_migrate_context);
-
diff --git a/debian/patches/bugfix/all/perf-core-Fix-concurrent-sys_perf_event_open-vs.-mov.patch b/debian/patches/bugfix/all/perf-core-Fix-concurrent-sys_perf_event_open-vs.-mov.patch
deleted file mode 100644
index 64680cc..0000000
--- a/debian/patches/bugfix/all/perf-core-Fix-concurrent-sys_perf_event_open-vs.-mov.patch
+++ /dev/null
@@ -1,152 +0,0 @@
-From: Peter Zijlstra <peterz at infradead.org>
-Date: Wed, 11 Jan 2017 21:09:50 +0100
-Subject: perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race
-Origin: https://git.kernel.org/linus/321027c1fe77f892f4ea07846aeae08cefbbb290
-
-Di Shen reported a race between two concurrent sys_perf_event_open()
-calls where both try and move the same pre-existing software group
-into a hardware context.
-
-The problem is exactly that described in commit:
-
- f63a8daa5812 ("perf: Fix event->ctx locking")
-
-... where, while we wait for a ctx->mutex acquisition, the event->ctx
-relation can have changed under us.
-
-That very same commit failed to recognise sys_perf_event_context() as an
-external access vector to the events and thereby didn't apply the
-established locking rules correctly.
-
-So while one sys_perf_event_open() call is stuck waiting on
-mutex_lock_double(), the other (which owns said locks) moves the group
-about. So by the time the former sys_perf_event_open() acquires the
-locks, the context we've acquired is stale (and possibly dead).
-
-Apply the established locking rules as per perf_event_ctx_lock_nested()
-to the mutex_lock_double() for the 'move_group' case. This obviously means
-we need to validate state after we acquire the locks.
-
-Reported-by: Di Shen (Keen Lab)
-Tested-by: John Dias <joaodias at google.com>
-Signed-off-by: Peter Zijlstra (Intel) <peterz at infradead.org>
-Cc: Alexander Shishkin <alexander.shishkin at linux.intel.com>
-Cc: Arnaldo Carvalho de Melo <acme at kernel.org>
-Cc: Arnaldo Carvalho de Melo <acme at redhat.com>
-Cc: Jiri Olsa <jolsa at redhat.com>
-Cc: Kees Cook <keescook at chromium.org>
-Cc: Linus Torvalds <torvalds at linux-foundation.org>
-Cc: Min Chong <mchong at google.com>
-Cc: Peter Zijlstra <peterz at infradead.org>
-Cc: Stephane Eranian <eranian at google.com>
-Cc: Thomas Gleixner <tglx at linutronix.de>
-Cc: Vince Weaver <vincent.weaver at maine.edu>
-Fixes: f63a8daa5812 ("perf: Fix event->ctx locking")
-Link: http://lkml.kernel.org/r/20170106131444.GZ3174@twins.programming.kicks-ass.net
-Signed-off-by: Ingo Molnar <mingo at kernel.org>
-[bwh: Backported to 3.16:
- - Use ACCESS_ONCE() instead of READ_ONCE()
- - Test perf_event::group_flags instead of group_caps
- - Add the err_locked cleanup block, which we didn't need before
- - Adjust context]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- kernel/events/core.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++----
- 1 file changed, 54 insertions(+), 4 deletions(-)
-
---- a/kernel/events/core.c
-+++ b/kernel/events/core.c
-@@ -7311,6 +7311,37 @@ static void mutex_lock_double(struct mut
- mutex_lock_nested(b, SINGLE_DEPTH_NESTING);
- }
-
-+/*
-+ * Variation on perf_event_ctx_lock_nested(), except we take two context
-+ * mutexes.
-+ */
-+static struct perf_event_context *
-+__perf_event_ctx_lock_double(struct perf_event *group_leader,
-+ struct perf_event_context *ctx)
-+{
-+ struct perf_event_context *gctx;
-+
-+again:
-+ rcu_read_lock();
-+ gctx = ACCESS_ONCE(group_leader->ctx);
-+ if (!atomic_inc_not_zero(&gctx->refcount)) {
-+ rcu_read_unlock();
-+ goto again;
-+ }
-+ rcu_read_unlock();
-+
-+ mutex_lock_double(&gctx->mutex, &ctx->mutex);
-+
-+ if (group_leader->ctx != gctx) {
-+ mutex_unlock(&ctx->mutex);
-+ mutex_unlock(&gctx->mutex);
-+ put_ctx(gctx);
-+ goto again;
-+ }
-+
-+ return gctx;
-+}
-+
- /**
- * sys_perf_event_open - open a performance event, associate it to a task/cpu
- *
-@@ -7522,14 +7553,31 @@ SYSCALL_DEFINE5(perf_event_open,
- }
-
- if (move_group) {
-- gctx = group_leader->ctx;
-+ gctx = __perf_event_ctx_lock_double(group_leader, ctx);
-+
-+ /*
-+ * Check if we raced against another sys_perf_event_open() call
-+ * moving the software group underneath us.
-+ */
-+ if (!(group_leader->group_flags & PERF_GROUP_SOFTWARE)) {
-+ /*
-+ * If someone moved the group out from under us, check
-+ * if this new event wound up on the same ctx, if so
-+ * its the regular !move_group case, otherwise fail.
-+ */
-+ if (gctx != ctx) {
-+ err = -EINVAL;
-+ goto err_locked;
-+ } else {
-+ perf_event_ctx_unlock(group_leader, gctx);
-+ move_group = 0;
-+ }
-+ }
-
- /*
- * See perf_event_ctx_lock() for comments on the details
- * of swizzling perf_event::ctx.
- */
-- mutex_lock_double(&gctx->mutex, &ctx->mutex);
--
- perf_remove_from_context(group_leader, false);
-
- /*
-@@ -7570,7 +7618,7 @@ SYSCALL_DEFINE5(perf_event_open,
- perf_unpin_context(ctx);
-
- if (move_group) {
-- mutex_unlock(&gctx->mutex);
-+ perf_event_ctx_unlock(group_leader, gctx);
- put_ctx(gctx);
- }
- mutex_unlock(&ctx->mutex);
-@@ -7599,6 +7647,11 @@ SYSCALL_DEFINE5(perf_event_open,
- fd_install(event_fd, event_file);
- return event_fd;
-
-+err_locked:
-+ if (move_group)
-+ perf_event_ctx_unlock(group_leader, gctx);
-+ mutex_unlock(&ctx->mutex);
-+ fput(event_file);
- err_context:
- perf_unpin_context(ctx);
- put_ctx(ctx);
diff --git a/debian/patches/bugfix/all/perf-do-not-double-free.patch b/debian/patches/bugfix/all/perf-do-not-double-free.patch
deleted file mode 100644
index 9bde436..0000000
--- a/debian/patches/bugfix/all/perf-do-not-double-free.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From: Peter Zijlstra <peterz at infradead.org>
-Date: Wed, 24 Feb 2016 18:45:41 +0100
-Subject: perf: Do not double free
-Origin: https://git.kernel.org/linus/130056275ade730e7a79c110212c8815202773ee
-
-In case of: err_file: fput(event_file), we'll end up calling
-perf_release() which in turn will free the event.
-
-Do not then free the event _again_.
-
-Tested-by: Alexander Shishkin <alexander.shishkin at linux.intel.com>
-Signed-off-by: Peter Zijlstra (Intel) <peterz at infradead.org>
-Reviewed-by: Alexander Shishkin <alexander.shishkin at linux.intel.com>
-Cc: Arnaldo Carvalho de Melo <acme at redhat.com>
-Cc: Jiri Olsa <jolsa at redhat.com>
-Cc: Linus Torvalds <torvalds at linux-foundation.org>
-Cc: Peter Zijlstra <peterz at infradead.org>
-Cc: Thomas Gleixner <tglx at linutronix.de>
-Cc: dvyukov at google.com
-Cc: eranian at google.com
-Cc: oleg at redhat.com
-Cc: panand at redhat.com
-Cc: sasha.levin at oracle.com
-Cc: vince at deater.net
-Link: http://lkml.kernel.org/r/20160224174947.697350349@infradead.org
-Signed-off-by: Ingo Molnar <mingo at kernel.org>
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- kernel/events/core.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
---- a/kernel/events/core.c
-+++ b/kernel/events/core.c
-@@ -7611,7 +7611,12 @@ err_context:
- perf_unpin_context(ctx);
- put_ctx(ctx);
- err_alloc:
-- free_event(event);
-+ /*
-+ * If event_file is set, the fput() above will have called ->release()
-+ * and that will take care of freeing the event.
-+ */
-+ if (!event_file)
-+ free_event(event);
- err_cpus:
- put_online_cpus();
- err_task:
diff --git a/debian/patches/bugfix/all/perf-fix-race-in-swevent-hash.patch b/debian/patches/bugfix/all/perf-fix-race-in-swevent-hash.patch
deleted file mode 100644
index 7df1e1e..0000000
--- a/debian/patches/bugfix/all/perf-fix-race-in-swevent-hash.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-From: Peter Zijlstra <peterz at infradead.org>
-Date: Tue, 15 Dec 2015 13:49:05 +0100
-Subject: perf: Fix race in swevent hash
-Origin: https://git.kernel.org/linus/12ca6ad2e3a896256f086497a7c7406a547ee373
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2015-8963
-
-There's a race on CPU unplug where we free the swevent hash array
-while it can still have events on. This will result in a
-use-after-free which is BAD.
-
-Simply do not free the hash array on unplug. This leaves the thing
-around and no use-after-free takes place.
-
-When the last swevent dies, we do a for_each_possible_cpu() iteration
-anyway to clean these up, at which time we'll free it, so no leakage
-will occur.
-
-Reported-by: Sasha Levin <sasha.levin at oracle.com>
-Tested-by: Sasha Levin <sasha.levin at oracle.com>
-Signed-off-by: Peter Zijlstra (Intel) <peterz at infradead.org>
-Cc: Arnaldo Carvalho de Melo <acme at redhat.com>
-Cc: Frederic Weisbecker <fweisbec at gmail.com>
-Cc: Jiri Olsa <jolsa at redhat.com>
-Cc: Linus Torvalds <torvalds at linux-foundation.org>
-Cc: Peter Zijlstra <peterz at infradead.org>
-Cc: Stephane Eranian <eranian at google.com>
-Cc: Thomas Gleixner <tglx at linutronix.de>
-Cc: Vince Weaver <vincent.weaver at maine.edu>
-Signed-off-by: Ingo Molnar <mingo at kernel.org>
----
- kernel/events/core.c | 20 +-------------------
- 1 file changed, 1 insertion(+), 19 deletions(-)
-
---- a/kernel/events/core.c
-+++ b/kernel/events/core.c
-@@ -5595,9 +5595,6 @@ struct swevent_htable {
-
- /* Recursion avoidance in each contexts */
- int recursion[PERF_NR_CONTEXTS];
--
-- /* Keeps track of cpu being initialized/exited */
-- bool online;
- };
-
- static DEFINE_PER_CPU(struct swevent_htable, swevent_htable);
-@@ -5844,14 +5841,8 @@ static int perf_swevent_add(struct perf_
- hwc->state = !(flags & PERF_EF_START);
-
- head = find_swevent_head(swhash, event);
-- if (!head) {
-- /*
-- * We can race with cpu hotplug code. Do not
-- * WARN if the cpu just got unplugged.
-- */
-- WARN_ON_ONCE(swhash->online);
-+ if (WARN_ON_ONCE(!head))
- return -EINVAL;
-- }
-
- hlist_add_head_rcu(&event->hlist_entry, head);
-
-@@ -5918,7 +5909,6 @@ static int swevent_hlist_get_cpu(struct
- int err = 0;
-
- mutex_lock(&swhash->hlist_mutex);
--
- if (!swevent_hlist_deref(swhash) && cpu_online(cpu)) {
- struct swevent_hlist *hlist;
-
-@@ -8050,7 +8040,6 @@ static void perf_event_init_cpu(int cpu)
- struct swevent_htable *swhash = &per_cpu(swevent_htable, cpu);
-
- mutex_lock(&swhash->hlist_mutex);
-- swhash->online = true;
- if (swhash->hlist_refcount > 0) {
- struct swevent_hlist *hlist;
-
-@@ -8103,14 +8092,7 @@ static void perf_event_exit_cpu_context(
-
- static void perf_event_exit_cpu(int cpu)
- {
-- struct swevent_htable *swhash = &per_cpu(swevent_htable, cpu);
--
- perf_event_exit_cpu_context(cpu);
--
-- mutex_lock(&swhash->hlist_mutex);
-- swhash->online = false;
-- swevent_hlist_release(swhash);
-- mutex_unlock(&swhash->hlist_mutex);
- }
- #else
- static inline void perf_event_exit_cpu(int cpu) { }
diff --git a/debian/patches/bugfix/all/revert-fs-give-dentry-to-inode_change_ok-instead-of-inode.patch b/debian/patches/bugfix/all/revert-fs-give-dentry-to-inode_change_ok-instead-of-inode.patch
deleted file mode 100644
index ea5f125..0000000
--- a/debian/patches/bugfix/all/revert-fs-give-dentry-to-inode_change_ok-instead-of-inode.patch
+++ /dev/null
@@ -1,779 +0,0 @@
-From: Ben Hutchings <ben at decadent.org.uk>
-Date: Wed, 30 Nov 2016 23:13:05 +0000
-Subject: Revert "fs: Give dentry to inode_change_ok() instead of inode"
-Origin: https://git.kernel.org/cgit/linux/kernel/git/bwh/linux-stable-queue.git/tree/queue-3.16/revert-fs-give-dentry-to-inode_change_ok-instead-of-inode.patch
-
-This reverts commit be9df699432235753c3824b0f5a27d46de7fdc9e, which was
-commit 31051c85b5e2aaaf6315f74c72a732673632a905 upstream. The backport
-breaks fuse and makes a mess of xfs, which can be improved by picking
-further upstream commits as I should have done in the first place.
-
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
---- a/Documentation/filesystems/porting
-+++ b/Documentation/filesystems/porting
-@@ -287,8 +287,8 @@ implementing on-disk size changes. Star
- and vmtruncate, and the reorder the vmtruncate + foofs_vmtruncate sequence to
- be in order of zeroing blocks using block_truncate_page or similar helpers,
- size update and on finally on-disk truncation which should not fail.
--setattr_prepare (which used to be inode_change_ok) now includes the size checks
--for ATTR_SIZE and must be called in the beginning of ->setattr unconditionally.
-+inode_change_ok now includes the size checks for ATTR_SIZE and must be called
-+in the beginning of ->setattr unconditionally.
-
- [mandatory]
-
---- a/drivers/staging/lustre/lustre/llite/llite_lib.c
-+++ b/drivers/staging/lustre/lustre/llite/llite_lib.c
-@@ -1386,7 +1386,7 @@ int ll_setattr_raw(struct dentry *dentry
- attr->ia_valid |= ATTR_MTIME | ATTR_CTIME;
- }
-
-- /* POSIX: check before ATTR_*TIME_SET set (from setattr_prepare) */
-+ /* POSIX: check before ATTR_*TIME_SET set (from inode_change_ok) */
- if (attr->ia_valid & TIMES_SET_FLAGS) {
- if ((!uid_eq(current_fsuid(), inode->i_uid)) &&
- !capable(CFS_CAP_FOWNER))
---- a/fs/9p/vfs_inode.c
-+++ b/fs/9p/vfs_inode.c
-@@ -1094,7 +1094,7 @@ static int v9fs_vfs_setattr(struct dentr
- struct p9_wstat wstat;
-
- p9_debug(P9_DEBUG_VFS, "\n");
-- retval = setattr_prepare(dentry, iattr);
-+ retval = inode_change_ok(dentry->d_inode, iattr);
- if (retval)
- return retval;
-
---- a/fs/9p/vfs_inode_dotl.c
-+++ b/fs/9p/vfs_inode_dotl.c
-@@ -560,7 +560,7 @@ int v9fs_vfs_setattr_dotl(struct dentry
-
- p9_debug(P9_DEBUG_VFS, "\n");
-
-- retval = setattr_prepare(dentry, iattr);
-+ retval = inode_change_ok(inode, iattr);
- if (retval)
- return retval;
-
---- a/fs/adfs/inode.c
-+++ b/fs/adfs/inode.c
-@@ -303,7 +303,7 @@ adfs_notify_change(struct dentry *dentry
- unsigned int ia_valid = attr->ia_valid;
- int error;
-
-- error = setattr_prepare(dentry, attr);
-+ error = inode_change_ok(inode, attr);
-
- /*
- * we can't change the UID or GID of any file -
---- a/fs/affs/inode.c
-+++ b/fs/affs/inode.c
-@@ -222,7 +222,7 @@ affs_notify_change(struct dentry *dentry
-
- pr_debug("notify_change(%lu,0x%x)\n", inode->i_ino, attr->ia_valid);
-
-- error = setattr_prepare(dentry, attr);
-+ error = inode_change_ok(inode,attr);
- if (error)
- goto out;
-
---- a/fs/attr.c
-+++ b/fs/attr.c
-@@ -17,22 +17,19 @@
- #include <linux/ima.h>
-
- /**
-- * setattr_prepare - check if attribute changes to a dentry are allowed
-- * @dentry: dentry to check
-+ * inode_change_ok - check if attribute changes to an inode are allowed
-+ * @inode: inode to check
- * @attr: attributes to change
- *
- * Check if we are allowed to change the attributes contained in @attr
-- * in the given dentry. This includes the normal unix access permission
-- * checks, as well as checks for rlimits and others. The function also clears
-- * SGID bit from mode if user is not allowed to set it. Also file capabilities
-- * and IMA extended attributes are cleared if ATTR_KILL_PRIV is set.
-+ * in the given inode. This includes the normal unix access permission
-+ * checks, as well as checks for rlimits and others.
- *
- * Should be called as the first thing in ->setattr implementations,
- * possibly after taking additional locks.
- */
--int setattr_prepare(struct dentry *dentry, struct iattr *attr)
-+int inode_change_ok(const struct inode *inode, struct iattr *attr)
- {
-- struct inode *inode = d_inode(dentry);
- unsigned int ia_valid = attr->ia_valid;
-
- /*
-@@ -92,7 +89,7 @@ kill_priv:
-
- return 0;
- }
--EXPORT_SYMBOL(setattr_prepare);
-+EXPORT_SYMBOL(inode_change_ok);
-
- /**
- * inode_newsize_ok - may this inode be truncated to a given size
---- a/fs/btrfs/inode.c
-+++ b/fs/btrfs/inode.c
-@@ -4690,7 +4690,7 @@ static int btrfs_setattr(struct dentry *
- if (btrfs_root_readonly(root))
- return -EROFS;
-
-- err = setattr_prepare(dentry, attr);
-+ err = inode_change_ok(inode, attr);
- if (err)
- return err;
-
---- a/fs/ceph/inode.c
-+++ b/fs/ceph/inode.c
-@@ -1708,7 +1708,7 @@ int ceph_setattr(struct dentry *dentry,
- if (ceph_snap(inode) != CEPH_NOSNAP)
- return -EROFS;
-
-- err = setattr_prepare(dentry, attr);
-+ err = inode_change_ok(inode, attr);
- if (err != 0)
- return err;
-
---- a/fs/cifs/inode.c
-+++ b/fs/cifs/inode.c
-@@ -2074,7 +2074,7 @@ cifs_setattr_unix(struct dentry *direntr
- if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NO_PERM)
- attrs->ia_valid |= ATTR_FORCE;
-
-- rc = setattr_prepare(direntry, attrs);
-+ rc = inode_change_ok(inode, attrs);
- if (rc < 0)
- goto out;
-
-@@ -2215,7 +2215,7 @@ cifs_setattr_nounix(struct dentry *diren
- if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NO_PERM)
- attrs->ia_valid |= ATTR_FORCE;
-
-- rc = setattr_prepare(direntry, attrs);
-+ rc = inode_change_ok(inode, attrs);
- if (rc < 0) {
- free_xid(xid);
- return rc;
---- a/fs/ecryptfs/inode.c
-+++ b/fs/ecryptfs/inode.c
-@@ -952,7 +952,7 @@ static int ecryptfs_setattr(struct dentr
- }
- mutex_unlock(&crypt_stat->cs_mutex);
-
-- rc = setattr_prepare(dentry, ia);
-+ rc = inode_change_ok(inode, ia);
- if (rc)
- goto out;
- if (ia->ia_valid & ATTR_SIZE) {
---- a/fs/exofs/inode.c
-+++ b/fs/exofs/inode.c
-@@ -1039,7 +1039,7 @@ int exofs_setattr(struct dentry *dentry,
- if (unlikely(error))
- return error;
-
-- error = setattr_prepare(dentry, iattr);
-+ error = inode_change_ok(inode, iattr);
- if (unlikely(error))
- return error;
-
---- a/fs/ext2/inode.c
-+++ b/fs/ext2/inode.c
-@@ -1547,7 +1547,7 @@ int ext2_setattr(struct dentry *dentry,
- struct inode *inode = dentry->d_inode;
- int error;
-
-- error = setattr_prepare(dentry, iattr);
-+ error = inode_change_ok(inode, iattr);
- if (error)
- return error;
-
---- a/fs/ext3/inode.c
-+++ b/fs/ext3/inode.c
-@@ -3244,7 +3244,7 @@ int ext3_setattr(struct dentry *dentry,
- int error, rc = 0;
- const unsigned int ia_valid = attr->ia_valid;
-
-- error = setattr_prepare(dentry, attr);
-+ error = inode_change_ok(inode, attr);
- if (error)
- return error;
-
---- a/fs/ext4/inode.c
-+++ b/fs/ext4/inode.c
-@@ -4672,7 +4672,7 @@ int ext4_setattr(struct dentry *dentry,
- int orphan = 0;
- const unsigned int ia_valid = attr->ia_valid;
-
-- error = setattr_prepare(dentry, attr);
-+ error = inode_change_ok(inode, attr);
- if (error)
- return error;
-
---- a/fs/f2fs/file.c
-+++ b/fs/f2fs/file.c
-@@ -500,7 +500,7 @@ int f2fs_setattr(struct dentry *dentry,
- struct f2fs_inode_info *fi = F2FS_I(inode);
- int err;
-
-- err = setattr_prepare(dentry, attr);
-+ err = inode_change_ok(inode, attr);
- if (err)
- return err;
-
---- a/fs/fat/file.c
-+++ b/fs/fat/file.c
-@@ -394,7 +394,7 @@ int fat_setattr(struct dentry *dentry, s
- attr->ia_valid &= ~TIMES_SET_FLAGS;
- }
-
-- error = setattr_prepare(dentry, attr);
-+ error = inode_change_ok(inode, attr);
- attr->ia_valid = ia_valid;
- if (error) {
- if (sbi->options.quiet)
---- a/fs/fuse/dir.c
-+++ b/fs/fuse/dir.c
-@@ -1704,10 +1704,9 @@ int fuse_flush_times(struct inode *inode
- * vmtruncate() doesn't allow for this case, so do the rlimit checking
- * and the actual truncation by hand.
- */
--int fuse_do_setattr(struct dentry *dentry, struct iattr *attr,
-+int fuse_do_setattr(struct inode *inode, struct iattr *attr,
- struct file *file)
- {
-- struct inode *inode = dentry->d_inode;
- struct fuse_conn *fc = get_fuse_conn(inode);
- struct fuse_inode *fi = get_fuse_inode(inode);
- struct fuse_req *req;
-@@ -1722,7 +1721,7 @@ int fuse_do_setattr(struct dentry *dentr
- if (!(fc->flags & FUSE_DEFAULT_PERMISSIONS))
- attr->ia_valid |= ATTR_FORCE;
-
-- err = setattr_prepare(dentry, attr);
-+ err = inode_change_ok(inode, attr);
- if (err)
- return err;
-
-@@ -1827,9 +1826,9 @@ static int fuse_setattr(struct dentry *e
- return -EACCES;
-
- if (attr->ia_valid & ATTR_FILE)
-- return fuse_do_setattr(entry, attr, attr->ia_file);
-+ return fuse_do_setattr(inode, attr, attr->ia_file);
- else
-- return fuse_do_setattr(entry, attr, NULL);
-+ return fuse_do_setattr(inode, attr, NULL);
- }
-
- static int fuse_getattr(struct vfsmount *mnt, struct dentry *entry,
---- a/fs/fuse/fuse_i.h
-+++ b/fs/fuse/fuse_i.h
-@@ -894,7 +894,7 @@ bool fuse_write_update_size(struct inode
- int fuse_flush_times(struct inode *inode, struct fuse_file *ff);
- int fuse_write_inode(struct inode *inode, struct writeback_control *wbc);
-
--int fuse_do_setattr(struct dentry *dentry, struct iattr *attr,
-+int fuse_do_setattr(struct inode *inode, struct iattr *attr,
- struct file *file);
-
- #endif /* _FS_FUSE_I_H */
---- a/fs/gfs2/inode.c
-+++ b/fs/gfs2/inode.c
-@@ -1774,7 +1774,7 @@ static int gfs2_setattr(struct dentry *d
- if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
- goto out;
-
-- error = setattr_prepare(dentry, attr);
-+ error = inode_change_ok(inode, attr);
- if (error)
- goto out;
-
---- a/fs/hfs/inode.c
-+++ b/fs/hfs/inode.c
-@@ -604,7 +604,7 @@ int hfs_inode_setattr(struct dentry *den
- struct hfs_sb_info *hsb = HFS_SB(inode->i_sb);
- int error;
-
-- error = setattr_prepare(dentry, attr); /* basic permission checks */
-+ error = inode_change_ok(inode, attr); /* basic permission checks */
- if (error)
- return error;
-
---- a/fs/hfsplus/inode.c
-+++ b/fs/hfsplus/inode.c
-@@ -247,7 +247,7 @@ static int hfsplus_setattr(struct dentry
- struct inode *inode = dentry->d_inode;
- int error;
-
-- error = setattr_prepare(dentry, attr);
-+ error = inode_change_ok(inode, attr);
- if (error)
- return error;
-
---- a/fs/hostfs/hostfs_kern.c
-+++ b/fs/hostfs/hostfs_kern.c
-@@ -792,7 +792,7 @@ static int hostfs_setattr(struct dentry
-
- int fd = HOSTFS_I(inode)->fd;
-
-- err = setattr_prepare(dentry, attr);
-+ err = inode_change_ok(inode, attr);
- if (err)
- return err;
-
---- a/fs/hpfs/inode.c
-+++ b/fs/hpfs/inode.c
-@@ -272,7 +272,7 @@ int hpfs_setattr(struct dentry *dentry,
- if ((attr->ia_valid & ATTR_SIZE) && attr->ia_size > inode->i_size)
- goto out_unlock;
-
-- error = setattr_prepare(dentry, attr);
-+ error = inode_change_ok(inode, attr);
- if (error)
- goto out_unlock;
-
---- a/fs/hugetlbfs/inode.c
-+++ b/fs/hugetlbfs/inode.c
-@@ -429,7 +429,7 @@ static int hugetlbfs_setattr(struct dent
-
- BUG_ON(!inode);
-
-- error = setattr_prepare(dentry, attr);
-+ error = inode_change_ok(inode, attr);
- if (error)
- return error;
-
---- a/fs/jffs2/fs.c
-+++ b/fs/jffs2/fs.c
-@@ -193,7 +193,7 @@ int jffs2_setattr(struct dentry *dentry,
- struct inode *inode = dentry->d_inode;
- int rc;
-
-- rc = setattr_prepare(dentry, iattr);
-+ rc = inode_change_ok(inode, iattr);
- if (rc)
- return rc;
-
---- a/fs/jfs/file.c
-+++ b/fs/jfs/file.c
-@@ -103,7 +103,7 @@ int jfs_setattr(struct dentry *dentry, s
- struct inode *inode = dentry->d_inode;
- int rc;
-
-- rc = setattr_prepare(dentry, iattr);
-+ rc = inode_change_ok(inode, iattr);
- if (rc)
- return rc;
-
---- a/fs/kernfs/inode.c
-+++ b/fs/kernfs/inode.c
-@@ -131,7 +131,7 @@ int kernfs_iop_setattr(struct dentry *de
- return -EINVAL;
-
- mutex_lock(&kernfs_mutex);
-- error = setattr_prepare(dentry, iattr);
-+ error = inode_change_ok(inode, iattr);
- if (error)
- goto out;
-
---- a/fs/libfs.c
-+++ b/fs/libfs.c
-@@ -371,7 +371,7 @@ int simple_setattr(struct dentry *dentry
- struct inode *inode = dentry->d_inode;
- int error;
-
-- error = setattr_prepare(dentry, iattr);
-+ error = inode_change_ok(inode, iattr);
- if (error)
- return error;
-
---- a/fs/logfs/file.c
-+++ b/fs/logfs/file.c
-@@ -244,7 +244,7 @@ static int logfs_setattr(struct dentry *
- struct inode *inode = dentry->d_inode;
- int err = 0;
-
-- err = setattr_prepare(dentry, attr);
-+ err = inode_change_ok(inode, attr);
- if (err)
- return err;
-
---- a/fs/minix/file.c
-+++ b/fs/minix/file.c
-@@ -28,7 +28,7 @@ static int minix_setattr(struct dentry *
- struct inode *inode = dentry->d_inode;
- int error;
-
-- error = setattr_prepare(dentry, attr);
-+ error = inode_change_ok(inode, attr);
- if (error)
- return error;
-
---- a/fs/ncpfs/inode.c
-+++ b/fs/ncpfs/inode.c
-@@ -885,7 +885,7 @@ int ncp_notify_change(struct dentry *den
- /* ageing the dentry to force validation */
- ncp_age_dentry(server, dentry);
-
-- result = setattr_prepare(dentry, attr);
-+ result = inode_change_ok(inode, attr);
- if (result < 0)
- goto out;
-
---- a/fs/nfsd/vfs.c
-+++ b/fs/nfsd/vfs.c
-@@ -300,19 +300,17 @@ commit_metadata(struct svc_fh *fhp)
- * NFS semantics and what Linux expects.
- */
- static void
--nfsd_sanitize_attrs(struct dentry *dentry, struct iattr *iap)
-+nfsd_sanitize_attrs(struct inode *inode, struct iattr *iap)
- {
-- struct inode *inode = dentry->d_inode;
--
- /*
- * NFSv2 does not differentiate between "set-[ac]time-to-now"
- * which only requires access, and "set-[ac]time-to-X" which
- * requires ownership.
- * So if it looks like it might be "set both to the same time which
-- * is close to now", and if setattr_prepare fails, then we
-+ * is close to now", and if inode_change_ok fails, then we
- * convert to "set to now" instead of "set to explicit time"
- *
-- * We only call setattr_prepare as the last test as technically
-+ * We only call inode_change_ok as the last test as technically
- * it is not an interface that we should be using.
- */
- #define BOTH_TIME_SET (ATTR_ATIME_SET | ATTR_MTIME_SET)
-@@ -330,7 +328,7 @@ nfsd_sanitize_attrs(struct dentry *dentr
- if (delta < 0)
- delta = -delta;
- if (delta < MAX_TOUCH_TIME_ERROR &&
-- setattr_prepare(dentry, iap) != 0) {
-+ inode_change_ok(inode, iap) != 0) {
- /*
- * Turn off ATTR_[AM]TIME_SET but leave ATTR_[AM]TIME.
- * This will cause notify_change to set these times
-@@ -437,7 +435,7 @@ nfsd_setattr(struct svc_rqst *rqstp, str
- if (!iap->ia_valid)
- goto out;
-
-- nfsd_sanitize_attrs(dentry, iap);
-+ nfsd_sanitize_attrs(inode, iap);
-
- /*
- * The size case is special, it changes the file in addition to the
---- a/fs/nilfs2/inode.c
-+++ b/fs/nilfs2/inode.c
-@@ -839,7 +839,7 @@ int nilfs_setattr(struct dentry *dentry,
- struct super_block *sb = inode->i_sb;
- int err;
-
-- err = setattr_prepare(dentry, iattr);
-+ err = inode_change_ok(inode, iattr);
- if (err)
- return err;
-
---- a/fs/ntfs/inode.c
-+++ b/fs/ntfs/inode.c
-@@ -2891,7 +2891,7 @@ int ntfs_setattr(struct dentry *dentry,
- int err;
- unsigned int ia_valid = attr->ia_valid;
-
-- err = setattr_prepare(dentry, attr);
-+ err = inode_change_ok(vi, attr);
- if (err)
- goto out;
- /* We do not support NTFS ACLs yet. */
---- a/fs/ocfs2/dlmfs/dlmfs.c
-+++ b/fs/ocfs2/dlmfs/dlmfs.c
-@@ -211,7 +211,7 @@ static int dlmfs_file_setattr(struct den
- struct inode *inode = dentry->d_inode;
-
- attr->ia_valid &= ~ATTR_SIZE;
-- error = setattr_prepare(dentry, attr);
-+ error = inode_change_ok(inode, attr);
- if (error)
- return error;
-
---- a/fs/ocfs2/file.c
-+++ b/fs/ocfs2/file.c
-@@ -1144,7 +1144,7 @@ int ocfs2_setattr(struct dentry *dentry,
- if (!(attr->ia_valid & OCFS2_VALID_ATTRS))
- return 0;
-
-- status = setattr_prepare(dentry, attr);
-+ status = inode_change_ok(inode, attr);
- if (status)
- return status;
-
---- a/fs/omfs/file.c
-+++ b/fs/omfs/file.c
-@@ -351,7 +351,7 @@ static int omfs_setattr(struct dentry *d
- struct inode *inode = dentry->d_inode;
- int error;
-
-- error = setattr_prepare(dentry, attr);
-+ error = inode_change_ok(inode, attr);
- if (error)
- return error;
-
---- a/fs/proc/base.c
-+++ b/fs/proc/base.c
-@@ -536,7 +536,7 @@ int proc_setattr(struct dentry *dentry,
- if (attr->ia_valid & ATTR_MODE)
- return -EPERM;
-
-- error = setattr_prepare(dentry, attr);
-+ error = inode_change_ok(inode, attr);
- if (error)
- return error;
-
---- a/fs/proc/generic.c
-+++ b/fs/proc/generic.c
-@@ -41,7 +41,7 @@ static int proc_notify_change(struct den
- struct proc_dir_entry *de = PDE(inode);
- int error;
-
-- error = setattr_prepare(dentry, iattr);
-+ error = inode_change_ok(inode, iattr);
- if (error)
- return error;
-
---- a/fs/proc/proc_sysctl.c
-+++ b/fs/proc/proc_sysctl.c
-@@ -753,7 +753,7 @@ static int proc_sys_setattr(struct dentr
- if (attr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
- return -EPERM;
-
-- error = setattr_prepare(dentry, attr);
-+ error = inode_change_ok(inode, attr);
- if (error)
- return error;
-
---- a/fs/ramfs/file-nommu.c
-+++ b/fs/ramfs/file-nommu.c
-@@ -163,7 +163,7 @@ static int ramfs_nommu_setattr(struct de
- int ret = 0;
-
- /* POSIX UID/GID verification for setting inode attributes */
-- ret = setattr_prepare(dentry, ia);
-+ ret = inode_change_ok(inode, ia);
- if (ret)
- return ret;
-
---- a/fs/reiserfs/inode.c
-+++ b/fs/reiserfs/inode.c
-@@ -3312,7 +3312,7 @@ int reiserfs_setattr(struct dentry *dent
- unsigned int ia_valid;
- int error;
-
-- error = setattr_prepare(dentry, attr);
-+ error = inode_change_ok(inode, attr);
- if (error)
- return error;
-
---- a/fs/sysv/file.c
-+++ b/fs/sysv/file.c
-@@ -35,7 +35,7 @@ static int sysv_setattr(struct dentry *d
- struct inode *inode = dentry->d_inode;
- int error;
-
-- error = setattr_prepare(dentry, attr);
-+ error = inode_change_ok(inode, attr);
- if (error)
- return error;
-
---- a/fs/ubifs/file.c
-+++ b/fs/ubifs/file.c
-@@ -1262,7 +1262,7 @@ int ubifs_setattr(struct dentry *dentry,
-
- dbg_gen("ino %lu, mode %#x, ia_valid %#x",
- inode->i_ino, inode->i_mode, attr->ia_valid);
-- err = setattr_prepare(dentry, attr);
-+ err = inode_change_ok(inode, attr);
- if (err)
- return err;
-
---- a/fs/udf/file.c
-+++ b/fs/udf/file.c
-@@ -269,7 +269,7 @@ static int udf_setattr(struct dentry *de
- struct inode *inode = dentry->d_inode;
- int error;
-
-- error = setattr_prepare(dentry, attr);
-+ error = inode_change_ok(inode, attr);
- if (error)
- return error;
-
---- a/fs/ufs/truncate.c
-+++ b/fs/ufs/truncate.c
-@@ -496,7 +496,7 @@ int ufs_setattr(struct dentry *dentry, s
- unsigned int ia_valid = attr->ia_valid;
- int error;
-
-- error = setattr_prepare(dentry, attr);
-+ error = inode_change_ok(inode, attr);
- if (error)
- return error;
-
---- a/fs/utimes.c
-+++ b/fs/utimes.c
-@@ -81,7 +81,7 @@ static int utimes_common(struct path *pa
- newattrs.ia_valid |= ATTR_MTIME_SET;
- }
- /*
-- * Tell setattr_prepare(), that this is an explicit time
-+ * Tell inode_change_ok(), that this is an explicit time
- * update, even if neither ATTR_ATIME_SET nor ATTR_MTIME_SET
- * were used.
- */
-@@ -90,7 +90,7 @@ static int utimes_common(struct path *pa
- /*
- * If times is NULL (or both times are UTIME_NOW),
- * then we need to check permissions, because
-- * setattr_prepare() won't do it.
-+ * inode_change_ok() won't do it.
- */
- error = -EACCES;
- if (IS_IMMUTABLE(inode))
---- a/fs/xfs/xfs_acl.c
-+++ b/fs/xfs/xfs_acl.c
-@@ -244,8 +244,7 @@ xfs_set_mode(struct inode *inode, umode_
- iattr.ia_mode = mode;
- iattr.ia_ctime = current_fs_time(inode->i_sb);
-
-- error = -xfs_setattr_nonsize(NULL, XFS_I(inode), &iattr,
-- XFS_ATTR_NOACL);
-+ error = -xfs_setattr_nonsize(XFS_I(inode), &iattr, XFS_ATTR_NOACL);
- }
-
- return error;
---- a/fs/xfs/xfs_file.c
-+++ b/fs/xfs/xfs_file.c
-@@ -862,7 +862,7 @@ xfs_file_fallocate(
-
- iattr.ia_valid = ATTR_SIZE;
- iattr.ia_size = new_size;
-- error = xfs_setattr_size(file->f_dentry, &iattr);
-+ error = xfs_setattr_size(ip, &iattr);
- }
-
- out_unlock:
---- a/fs/xfs/xfs_ioctl.c
-+++ b/fs/xfs/xfs_ioctl.c
-@@ -717,7 +717,7 @@ xfs_ioc_space(
- iattr.ia_valid = ATTR_SIZE;
- iattr.ia_size = bf->l_start;
-
-- error = xfs_setattr_size(filp->f_dentry, &iattr);
-+ error = xfs_setattr_size(ip, &iattr);
- if (!error)
- clrprealloc = true;
- break;
---- a/fs/xfs/xfs_iops.c
-+++ b/fs/xfs/xfs_iops.c
-@@ -527,7 +527,6 @@ xfs_setattr_time(
-
- int
- xfs_setattr_nonsize(
-- struct dentry *dentry,
- struct xfs_inode *ip,
- struct iattr *iattr,
- int flags)
-@@ -552,7 +551,7 @@ xfs_setattr_nonsize(
- if (XFS_FORCED_SHUTDOWN(mp))
- return XFS_ERROR(EIO);
-
-- error = -setattr_prepare(dentry, iattr);
-+ error = -inode_change_ok(inode, iattr);
- if (error)
- return XFS_ERROR(error);
- }
-@@ -735,12 +734,11 @@ out_dqrele:
- */
- int
- xfs_setattr_size(
-- struct dentry *dentry,
-+ struct xfs_inode *ip,
- struct iattr *iattr)
- {
-- struct inode *inode = dentry->d_inode;
-- struct xfs_inode *ip = XFS_I(inode);
- struct xfs_mount *mp = ip->i_mount;
-+ struct inode *inode = VFS_I(ip);
- xfs_off_t oldsize, newsize;
- struct xfs_trans *tp;
- int error;
-@@ -756,7 +754,7 @@ xfs_setattr_size(
- if (XFS_FORCED_SHUTDOWN(mp))
- return XFS_ERROR(EIO);
-
-- error = -setattr_prepare(dentry, iattr);
-+ error = -inode_change_ok(inode, iattr);
- if (error)
- return XFS_ERROR(error);
-
-@@ -780,7 +778,7 @@ xfs_setattr_size(
- * Use the regular setattr path to update the timestamps.
- */
- iattr->ia_valid &= ~ATTR_SIZE;
-- return xfs_setattr_nonsize(dentry, ip, iattr, 0);
-+ return xfs_setattr_nonsize(ip, iattr, 0);
- }
-
- /*
-@@ -941,10 +939,10 @@ xfs_vn_setattr(
-
- if (iattr->ia_valid & ATTR_SIZE) {
- xfs_ilock(ip, XFS_IOLOCK_EXCL | XFS_MMAPLOCK_EXCL);
-- error = xfs_setattr_size(dentry, iattr);
-+ error = xfs_setattr_size(ip, iattr);
- xfs_iunlock(ip, XFS_IOLOCK_EXCL | XFS_MMAPLOCK_EXCL);
- } else {
-- error = xfs_setattr_nonsize(dentry, ip, iattr, 0);
-+ error = xfs_setattr_nonsize(ip, iattr, 0);
- }
-
- return -error;
---- a/fs/xfs/xfs_iops.h
-+++ b/fs/xfs/xfs_iops.h
-@@ -32,8 +32,8 @@ extern void xfs_setup_inode(struct xfs_i
- */
- #define XFS_ATTR_NOACL 0x01 /* Don't call posix_acl_chmod */
-
--extern int xfs_setattr_nonsize(struct dentry *dentry, struct xfs_inode *ip,
-- struct iattr *vap, int flags);
--extern int xfs_setattr_size(struct dentry *dentry, struct iattr *vap);
-+extern int xfs_setattr_nonsize(struct xfs_inode *ip, struct iattr *vap,
-+ int flags);
-+extern int xfs_setattr_size(struct xfs_inode *ip, struct iattr *vap);
-
- #endif /* __XFS_IOPS_H__ */
---- a/include/linux/fs.h
-+++ b/include/linux/fs.h
-@@ -2629,7 +2629,7 @@ extern int buffer_migrate_page(struct ad
- #define buffer_migrate_page NULL
- #endif
-
--extern int setattr_prepare(struct dentry *, struct iattr *);
-+extern int inode_change_ok(const struct inode *, struct iattr *);
- extern int inode_newsize_ok(const struct inode *, loff_t offset);
- extern void setattr_copy(struct inode *inode, const struct iattr *attr);
-
---- a/mm/shmem.c
-+++ b/mm/shmem.c
-@@ -540,7 +540,7 @@ static int shmem_setattr(struct dentry *
- struct inode *inode = dentry->d_inode;
- int error;
-
-- error = setattr_prepare(dentry, attr);
-+ error = inode_change_ok(inode, attr);
- if (error)
- return error;
-
diff --git a/debian/patches/bugfix/all/rose-limit-sk_filter-trim-to-payload.patch b/debian/patches/bugfix/all/rose-limit-sk_filter-trim-to-payload.patch
deleted file mode 100644
index fdc3fde..0000000
--- a/debian/patches/bugfix/all/rose-limit-sk_filter-trim-to-payload.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From: Willem de Bruijn <willemb at google.com>
-Date: Tue, 12 Jul 2016 18:18:56 -0400
-Subject: rose: limit sk_filter trim to payload
-Origin: https://git.kernel.org/linus/f4979fcea7fd36d8e2f556abef86f80e0d5af1ba
-
-Sockets can have a filter program attached that drops or trims
-incoming packets based on the filter program return value.
-
-Rose requires data packets to have at least ROSE_MIN_LEN bytes. It
-verifies this on arrival in rose_route_frame and unconditionally pulls
-the bytes in rose_recvmsg. The filter can trim packets to below this
-value in-between, causing pull to fail, leaving the partial header at
-the time of skb_copy_datagram_msg.
-
-Place a lower bound on the size to which sk_filter may trim packets
-by introducing sk_filter_trim_cap and call this for rose packets.
-
-Signed-off-by: Willem de Bruijn <willemb at google.com>
-Acked-by: Daniel Borkmann <daniel at iogearbox.net>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.16: adjust context]
----
- include/linux/filter.h | 6 +++++-
- net/core/filter.c | 10 +++++-----
- net/rose/rose_in.c | 3 ++-
- 3 files changed, 12 insertions(+), 7 deletions(-)
-
---- a/include/linux/filter.h
-+++ b/include/linux/filter.h
-@@ -346,7 +346,11 @@ static inline unsigned int sk_filter_siz
- #define sk_filter_proglen(fprog) \
- (fprog->len * sizeof(fprog->filter[0]))
-
--int sk_filter(struct sock *sk, struct sk_buff *skb);
-+int sk_filter_trim_cap(struct sock *sk, struct sk_buff *skb, unsigned int cap);
-+static inline int sk_filter(struct sock *sk, struct sk_buff *skb)
-+{
-+ return sk_filter_trim_cap(sk, skb, 1);
-+}
-
- void sk_filter_select_runtime(struct sk_filter *fp);
- void sk_filter_free(struct sk_filter *fp);
---- a/net/core/filter.c
-+++ b/net/core/filter.c
-@@ -94,9 +94,10 @@ static inline void *load_pointer(const s
- }
-
- /**
-- * sk_filter - run a packet through a socket filter
-+ * sk_filter_trim_cap - run a packet through a socket filter
- * @sk: sock associated with &sk_buff
- * @skb: buffer to filter
-+ * @cap: limit on how short the eBPF program may trim the packet
- *
- * Run the filter code and then cut skb->data to correct size returned by
- * sk_run_filter. If pkt_len is 0 we toss packet. If skb->len is smaller
-@@ -105,7 +106,7 @@ static inline void *load_pointer(const s
- * be accepted or -EPERM if the packet should be tossed.
- *
- */
--int sk_filter(struct sock *sk, struct sk_buff *skb)
-+int sk_filter_trim_cap(struct sock *sk, struct sk_buff *skb, unsigned int cap)
- {
- int err;
- struct sk_filter *filter;
-@@ -126,14 +127,13 @@ int sk_filter(struct sock *sk, struct sk
- filter = rcu_dereference(sk->sk_filter);
- if (filter) {
- unsigned int pkt_len = SK_RUN_FILTER(filter, skb);
--
-- err = pkt_len ? pskb_trim(skb, pkt_len) : -EPERM;
-+ err = pkt_len ? pskb_trim(skb, max(cap, pkt_len)) : -EPERM;
- }
- rcu_read_unlock();
-
- return err;
- }
--EXPORT_SYMBOL(sk_filter);
-+EXPORT_SYMBOL(sk_filter_trim_cap);
-
- /* Base function for offset calculation. Needs to go into .text section,
- * therefore keeping it non-static as well; will also be used by JITs
---- a/net/rose/rose_in.c
-+++ b/net/rose/rose_in.c
-@@ -164,7 +164,8 @@ static int rose_state3_machine(struct so
- rose_frames_acked(sk, nr);
- if (ns == rose->vr) {
- rose_start_idletimer(sk);
-- if (sock_queue_rcv_skb(sk, skb) == 0) {
-+ if (sk_filter_trim_cap(sk, skb, ROSE_MIN_LEN) == 0 &&
-+ __sock_queue_rcv_skb(sk, skb) == 0) {
- rose->vr = (rose->vr + 1) % ROSE_MODULUS;
- queued = 1;
- } else {
diff --git a/debian/patches/bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch b/debian/patches/bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch
deleted file mode 100644
index fb411c8..0000000
--- a/debian/patches/bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
-Date: Mon, 6 Feb 2017 18:10:31 -0200
-Subject: sctp: avoid BUG_ON on sctp_wait_for_sndbuf
-Origin: https://git.kernel.org/linus/2dcab598484185dea7ec22219c76dcdd59e3cb90
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5986
-
-Alexander Popov reported that an application may trigger a BUG_ON in
-sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is
-waiting on it to queue more data and meanwhile another thread peels off
-the association being used by the first thread.
-
-This patch replaces the BUG_ON call with a proper error handling. It
-will return -EPIPE to the original sendmsg call, similarly to what would
-have been done if the association wasn't found in the first place.
-
-Acked-by: Alexander Popov <alex.popov at linux.com>
-Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
-Reviewed-by: Xin Long <lucien.xin at gmail.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/sctp/socket.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index 37eeab7..e214d2e 100644
---- a/net/sctp/socket.c
-+++ b/net/sctp/socket.c
-@@ -7426,7 +7426,8 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
- */
- release_sock(sk);
- current_timeo = schedule_timeout(current_timeo);
-- BUG_ON(sk != asoc->base.sk);
-+ if (sk != asoc->base.sk)
-+ goto do_error;
- lock_sock(sk);
-
- *timeo_p = current_timeo;
---
-2.1.4
-
diff --git a/debian/patches/bugfix/all/sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch b/debian/patches/bugfix/all/sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch
deleted file mode 100644
index 5cd6632..0000000
--- a/debian/patches/bugfix/all/sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
-Date: Thu, 23 Feb 2017 09:31:18 -0300
-Subject: sctp: deny peeloff operation on asocs with threads sleeping on it
-Origin: https://git.kernel.org/linus/dfcb9f4f99f1e9a49e43398a7bfbf56927544af1
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-6353
-
-commit 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
-attempted to avoid a BUG_ON call when the association being used for a
-sendmsg() is blocked waiting for more sndbuf and another thread did a
-peeloff operation on such asoc, moving it to another socket.
-
-As Ben Hutchings noticed, then in such case it would return without
-locking back the socket and would cause two unlocks in a row.
-
-Further analysis also revealed that it could allow a double free if the
-application managed to peeloff the asoc that is created during the
-sendmsg call, because then sctp_sendmsg() would try to free the asoc
-that was created only for that call.
-
-This patch takes another approach. It will deny the peeloff operation
-if there is a thread sleeping on the asoc, so this situation doesn't
-exist anymore. This avoids the issues described above and also honors
-the syscalls that are already being handled (it can be multiple sendmsg
-calls).
-
-Joint work with Xin Long.
-
-Fixes: 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
-Cc: Alexander Popov <alex.popov at linux.com>
-Cc: Ben Hutchings <ben at decadent.org.uk>
-Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
-Signed-off-by: Xin Long <lucien.xin at gmail.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/sctp/socket.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index b532148..465a9c8 100644
---- a/net/sctp/socket.c
-+++ b/net/sctp/socket.c
-@@ -4862,6 +4862,12 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp)
- if (!asoc)
- return -EINVAL;
-
-+ /* If there is a thread waiting on more sndbuf space for
-+ * sending on this asoc, it cannot be peeled.
-+ */
-+ if (waitqueue_active(&asoc->wait))
-+ return -EBUSY;
-+
- /* An association cannot be branched off from an already peeled-off
- * socket, nor is this supported for tcp style sockets.
- */
-@@ -7599,8 +7605,6 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
- */
- release_sock(sk);
- current_timeo = schedule_timeout(current_timeo);
-- if (sk != asoc->base.sk)
-- goto do_error;
- lock_sock(sk);
-
- *timeo_p = current_timeo;
---
-2.1.4
-
diff --git a/debian/patches/bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch b/debian/patches/bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch
deleted file mode 100644
index ccc8064..0000000
--- a/debian/patches/bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
-Date: Tue, 25 Oct 2016 14:27:39 -0200
-Subject: sctp: validate chunk len before actually using it
-Origin: https://git.kernel.org/linus/bf911e985d6bbaa328c20c3e05f4eb03de11fdd6
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-9555
-
-Andrey Konovalov reported that KASAN detected that SCTP was using a slab
-beyond the boundaries. It was caused because when handling out of the
-blue packets in function sctp_sf_ootb() it was checking the chunk len
-only after already processing the first chunk, validating only for the
-2nd and subsequent ones.
-
-The fix is to just move the check upwards so it's also validated for the
-1st chunk.
-
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Tested-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
-Reviewed-by: Xin Long <lucien.xin at gmail.com>
-Acked-by: Neil Horman <nhorman at tuxdriver.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.16: moved code is slightly different]
----
- net/sctp/sm_statefuns.c | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
---- a/net/sctp/sm_statefuns.c
-+++ b/net/sctp/sm_statefuns.c
-@@ -3426,6 +3426,12 @@ sctp_disposition_t sctp_sf_ootb(struct n
- return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
- commands);
-
-+ /* Report violation if chunk len overflows */
-+ ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
-+ if (ch_end > skb_tail_pointer(skb))
-+ return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
-+ commands);
-+
- /* Now that we know we at least have a chunk header,
- * do things that are type appropriate.
- */
-@@ -3457,12 +3463,6 @@ sctp_disposition_t sctp_sf_ootb(struct n
- }
- }
-
-- /* Report violation if chunk len overflows */
-- ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
-- if (ch_end > skb_tail_pointer(skb))
-- return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
-- commands);
--
- ch = (sctp_chunkhdr_t *) ch_end;
- } while (ch_end < skb_tail_pointer(skb));
-
diff --git a/debian/patches/bugfix/all/selinux-fix-off-by-one-in-setprocattr.patch b/debian/patches/bugfix/all/selinux-fix-off-by-one-in-setprocattr.patch
deleted file mode 100644
index ef41f77..0000000
--- a/debian/patches/bugfix/all/selinux-fix-off-by-one-in-setprocattr.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From: Stephen Smalley <sds at tycho.nsa.gov>
-Date: Tue, 31 Jan 2017 11:54:04 -0500
-Subject: selinux: fix off-by-one in setprocattr
-Origin: https://git.kernel.org/linus/0c461cb727d146c9ef2d3e86214f498b78b7d125
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-2618
-
-SELinux tries to support setting/clearing of /proc/pid/attr attributes
-from the shell by ignoring terminating newlines and treating an
-attribute value that begins with a NUL or newline as an attempt to
-clear the attribute. However, the test for clearing attributes has
-always been wrong; it has an off-by-one error, and this could further
-lead to reading past the end of the allocated buffer since commit
-bb646cdb12e75d82258c2f2e7746d5952d3e321a ("proc_pid_attr_write():
-switch to memdup_user()"). Fix the off-by-one error.
-
-Even with this fix, setting and clearing /proc/pid/attr attributes
-from the shell is not straightforward since the interface does not
-support multiple write() calls (so shells that write the value and
-newline separately will set and then immediately clear the attribute,
-requiring use of echo -n to set the attribute), whereas trying to use
-echo -n "" to clear the attribute causes the shell to skip the
-write() call altogether since POSIX says that a zero-length write
-causes no side effects. Thus, one must use echo -n to set and echo
-without -n to clear, as in the following example:
-$ echo -n unconfined_u:object_r:user_home_t:s0 > /proc/$$/attr/fscreate
-$ cat /proc/$$/attr/fscreate
-unconfined_u:object_r:user_home_t:s0
-$ echo "" > /proc/$$/attr/fscreate
-$ cat /proc/$$/attr/fscreate
-
-Note the use of /proc/$$ rather than /proc/self, as otherwise
-the cat command will read its own attribute value, not that of the shell.
-
-There are no users of this facility to my knowledge; possibly we
-should just get rid of it.
-
-UPDATE: Upon further investigation it appears that a local process
-with the process:setfscreate permission can cause a kernel panic as a
-result of this bug. This patch fixes CVE-2017-2618.
-
-Signed-off-by: Stephen Smalley <sds at tycho.nsa.gov>
-[PM: added the update about CVE-2017-2618 to the commit description]
-Cc: stable at vger.kernel.org # 3.5: d6ea83ec6864e
-Signed-off-by: Paul Moore <paul at paul-moore.com>
-
-Signed-off-by: James Morris <james.l.morris at oracle.com>
----
- security/selinux/hooks.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/security/selinux/hooks.c
-+++ b/security/selinux/hooks.c
-@@ -5546,7 +5546,7 @@ static int selinux_setprocattr(struct ta
- return error;
-
- /* Obtain a SID for the context, if one was specified. */
-- if (size && str[1] && str[1] != '\n') {
-+ if (size && str[0] && str[0] != '\n') {
- if (str[size-1] == '\n') {
- str[size-1] = 0;
- size--;
diff --git a/debian/patches/bugfix/all/sg-fix-double-free-when-drives-detach-during-sg_io.patch b/debian/patches/bugfix/all/sg-fix-double-free-when-drives-detach-during-sg_io.patch
deleted file mode 100644
index 97c78b8..0000000
--- a/debian/patches/bugfix/all/sg-fix-double-free-when-drives-detach-during-sg_io.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From: Calvin Owens <calvinowens at fb.com>
-Date: Fri, 30 Oct 2015 16:57:00 -0700
-Subject: sg: Fix double-free when drives detach during SG_IO
-Origin: https://git.kernel.org/linus/f3951a3709ff50990bf3e188c27d346792103432
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2015-8962
-
-In sg_common_write(), we free the block request and return -ENODEV if
-the device is detached in the middle of the SG_IO ioctl().
-
-Unfortunately, sg_finish_rem_req() also tries to free srp->rq, so we
-end up freeing rq->cmd in the already free rq object, and then free
-the object itself out from under the current user.
-
-This ends up corrupting random memory via the list_head on the rq
-object. The most common crash trace I saw is this:
-
- ------------[ cut here ]------------
- kernel BUG at block/blk-core.c:1420!
- Call Trace:
- [<ffffffff81281eab>] blk_put_request+0x5b/0x80
- [<ffffffffa0069e5b>] sg_finish_rem_req+0x6b/0x120 [sg]
- [<ffffffffa006bcb9>] sg_common_write.isra.14+0x459/0x5a0 [sg]
- [<ffffffff8125b328>] ? selinux_file_alloc_security+0x48/0x70
- [<ffffffffa006bf95>] sg_new_write.isra.17+0x195/0x2d0 [sg]
- [<ffffffffa006cef4>] sg_ioctl+0x644/0xdb0 [sg]
- [<ffffffff81170f80>] do_vfs_ioctl+0x90/0x520
- [<ffffffff81258967>] ? file_has_perm+0x97/0xb0
- [<ffffffff811714a1>] SyS_ioctl+0x91/0xb0
- [<ffffffff81602afb>] tracesys+0xdd/0xe2
- RIP [<ffffffff81281e04>] __blk_put_request+0x154/0x1a0
-
-The solution is straightforward: just set srp->rq to NULL in the
-failure branch so that sg_finish_rem_req() doesn't attempt to re-free
-it.
-
-Additionally, since sg_rq_end_io() will never be called on the object
-when this happens, we need to free memory backing ->cmd if it isn't
-embedded in the object itself.
-
-KASAN was extremely helpful in finding the root cause of this bug.
-
-Signed-off-by: Calvin Owens <calvinowens at fb.com>
-Acked-by: Douglas Gilbert <dgilbert at interlog.com>
-Signed-off-by: Martin K. Petersen <martin.petersen at oracle.com>
-[bwh: Backported to 3.16:
- - sg_finish_rem_req() would not free srp->rq->cmd so don't do it here either
- - Adjust context]
----
- drivers/scsi/sg.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
---- a/drivers/scsi/sg.c
-+++ b/drivers/scsi/sg.c
-@@ -766,8 +766,11 @@ sg_common_write(Sg_fd * sfp, Sg_request
- return k; /* probably out of space --> ENOMEM */
- }
- if (sdp->detached) {
-- if (srp->bio)
-+ if (srp->bio) {
- blk_end_request_all(srp->rq, -EIO);
-+ srp->rq = NULL;
-+ }
-+
- sg_finish_rem_req(srp);
- return -ENODEV;
- }
diff --git a/debian/patches/bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-ker.patch b/debian/patches/bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-ker.patch
deleted file mode 100644
index a1891df..0000000
--- a/debian/patches/bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-ker.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From: Al Viro <viro at zeniv.linux.org.uk>
-Date: Fri, 16 Dec 2016 13:42:06 -0500
-Subject: sg_write()/bsg_write() is not fit to be called under KERNEL_DS
-Origin: https://git.kernel.org/linus/128394eff343fc6d2f32172f03e24829539c5835
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-9576
-
-Both damn things interpret userland pointers embedded into the payload;
-worse, they are actually traversing those. Leaving aside the bad
-API design, this is very much _not_ safe to call with KERNEL_DS.
-Bail out early if that happens.
-
-Cc: stable at vger.kernel.org
-Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
----
- block/bsg.c | 3 +++
- drivers/scsi/sg.c | 3 +++
- 2 files changed, 6 insertions(+)
-
---- a/block/bsg.c
-+++ b/block/bsg.c
-@@ -676,6 +676,9 @@ bsg_write(struct file *file, const char
-
- dprintk("%s: write %Zd bytes\n", bd->name, count);
-
-+ if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
-+ return -EINVAL;
-+
- bsg_set_block(bd, file);
-
- bytes_written = 0;
---- a/drivers/scsi/sg.c
-+++ b/drivers/scsi/sg.c
-@@ -568,6 +568,9 @@ sg_write(struct file *filp, const char _
- sg_io_hdr_t *hp;
- unsigned char cmnd[MAX_COMMAND_SIZE];
-
-+ if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
-+ return -EINVAL;
-+
- if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
- return -ENXIO;
- SCSI_LOG_TIMEOUT(3, printk("sg_write: %s, count=%d\n",
diff --git a/debian/patches/bugfix/all/sysctl-drop-reference-added-by-grab_header-in-proc_sys_readdir.patch b/debian/patches/bugfix/all/sysctl-drop-reference-added-by-grab_header-in-proc_sys_readdir.patch
deleted file mode 100644
index bad97ab..0000000
--- a/debian/patches/bugfix/all/sysctl-drop-reference-added-by-grab_header-in-proc_sys_readdir.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From: Zhou Chengming <zhouchengming1 at huawei.com>
-Date: Fri, 6 Jan 2017 09:32:32 +0800
-Subject: sysctl: Drop reference added by grab_header in proc_sys_readdir
-Origin: https://git.kernel.org/linus/93362fa47fe98b62e4a34ab408c4a418432e7939
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-9191
-
-Fixes CVE-2016-9191, proc_sys_readdir doesn't drop reference
-added by grab_header when return from !dir_emit_dots path.
-It can cause any path called unregister_sysctl_table will
-wait forever.
-
-The calltrace of CVE-2016-9191:
-
-[ 5535.960522] Call Trace:
-[ 5535.963265] [<ffffffff817cdaaf>] schedule+0x3f/0xa0
-[ 5535.968817] [<ffffffff817d33fb>] schedule_timeout+0x3db/0x6f0
-[ 5535.975346] [<ffffffff817cf055>] ? wait_for_completion+0x45/0x130
-[ 5535.982256] [<ffffffff817cf0d3>] wait_for_completion+0xc3/0x130
-[ 5535.988972] [<ffffffff810d1fd0>] ? wake_up_q+0x80/0x80
-[ 5535.994804] [<ffffffff8130de64>] drop_sysctl_table+0xc4/0xe0
-[ 5536.001227] [<ffffffff8130de17>] drop_sysctl_table+0x77/0xe0
-[ 5536.007648] [<ffffffff8130decd>] unregister_sysctl_table+0x4d/0xa0
-[ 5536.014654] [<ffffffff8130deff>] unregister_sysctl_table+0x7f/0xa0
-[ 5536.021657] [<ffffffff810f57f5>] unregister_sched_domain_sysctl+0x15/0x40
-[ 5536.029344] [<ffffffff810d7704>] partition_sched_domains+0x44/0x450
-[ 5536.036447] [<ffffffff817d0761>] ? __mutex_unlock_slowpath+0x111/0x1f0
-[ 5536.043844] [<ffffffff81167684>] rebuild_sched_domains_locked+0x64/0xb0
-[ 5536.051336] [<ffffffff8116789d>] update_flag+0x11d/0x210
-[ 5536.057373] [<ffffffff817cf61f>] ? mutex_lock_nested+0x2df/0x450
-[ 5536.064186] [<ffffffff81167acb>] ? cpuset_css_offline+0x1b/0x60
-[ 5536.070899] [<ffffffff810fce3d>] ? trace_hardirqs_on+0xd/0x10
-[ 5536.077420] [<ffffffff817cf61f>] ? mutex_lock_nested+0x2df/0x450
-[ 5536.084234] [<ffffffff8115a9f5>] ? css_killed_work_fn+0x25/0x220
-[ 5536.091049] [<ffffffff81167ae5>] cpuset_css_offline+0x35/0x60
-[ 5536.097571] [<ffffffff8115aa2c>] css_killed_work_fn+0x5c/0x220
-[ 5536.104207] [<ffffffff810bc83f>] process_one_work+0x1df/0x710
-[ 5536.110736] [<ffffffff810bc7c0>] ? process_one_work+0x160/0x710
-[ 5536.117461] [<ffffffff810bce9b>] worker_thread+0x12b/0x4a0
-[ 5536.123697] [<ffffffff810bcd70>] ? process_one_work+0x710/0x710
-[ 5536.130426] [<ffffffff810c3f7e>] kthread+0xfe/0x120
-[ 5536.135991] [<ffffffff817d4baf>] ret_from_fork+0x1f/0x40
-[ 5536.142041] [<ffffffff810c3e80>] ? kthread_create_on_node+0x230/0x230
-
-One cgroup maintainer mentioned that "cgroup is trying to offline
-a cpuset css, which takes place under cgroup_mutex. The offlining
-ends up trying to drain active usages of a sysctl table which apprently
-is not happening."
-The real reason is that proc_sys_readdir doesn't drop reference added
-by grab_header when return from !dir_emit_dots path. So this cpuset
-offline path will wait here forever.
-
-See here for details: http://www.openwall.com/lists/oss-security/2016/11/04/13
-
-Fixes: f0c3b5093add ("[readdir] convert procfs")
-Reported-by: CAI Qian <caiqian at redhat.com>
-Tested-by: Yang Shukui <yangshukui at huawei.com>
-Signed-off-by: Zhou Chengming <zhouchengming1 at huawei.com>
-Acked-by: Al Viro <viro at ZenIV.linux.org.uk>
-Signed-off-by: Eric W. Biederman <ebiederm at xmission.com>
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- fs/proc/proc_sysctl.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/fs/proc/proc_sysctl.c
-+++ b/fs/proc/proc_sysctl.c
-@@ -703,7 +703,7 @@ static int proc_sys_readdir(struct file
- ctl_dir = container_of(head, struct ctl_dir, header);
-
- if (!dir_emit_dots(file, ctx))
-- return 0;
-+ goto out;
-
- pos = 2;
-
-@@ -713,6 +713,7 @@ static int proc_sys_readdir(struct file
- break;
- }
- }
-+out:
- sysctl_head_finish(head);
- return 0;
- }
diff --git a/debian/patches/bugfix/all/tcp-avoid-infinite-loop-in-tcp_splice_read.patch b/debian/patches/bugfix/all/tcp-avoid-infinite-loop-in-tcp_splice_read.patch
deleted file mode 100644
index 9865636..0000000
--- a/debian/patches/bugfix/all/tcp-avoid-infinite-loop-in-tcp_splice_read.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Fri, 3 Feb 2017 14:59:38 -0800
-Subject: tcp: avoid infinite loop in tcp_splice_read()
-Origin: https://git.kernel.org/linus/ccf7abb93af09ad0868ae9033d1ca8108bdaec82
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-6214
-
-Splicing from TCP socket is vulnerable when a packet with URG flag is
-received and stored into receive queue.
-
-__tcp_splice_read() returns 0, and sk_wait_data() immediately
-returns since there is the problematic skb in queue.
-
-This is a nice way to burn cpu (aka infinite loop) and trigger
-soft lockups.
-
-Again, this gem was found by syzkaller tool.
-
-Fixes: 9c55e01c0cc8 ("[TCP]: Splice receive support.")
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Reported-by: Dmitry Vyukov <dvyukov at google.com>
-Cc: Willy Tarreau <w at 1wt.eu>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.16: adjust context]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- net/ipv4/tcp.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
-index 9ee5a4bbb289..068ffa698318 100644
---- a/net/ipv4/tcp.c
-+++ b/net/ipv4/tcp.c
-@@ -765,6 +765,12 @@ ssize_t tcp_splice_read(struct socket *sock, loff_t *ppos,
- ret = -EAGAIN;
- break;
- }
-+ /* if __tcp_splice_read() got nothing while we have
-+ * an skb in receive queue, we do not want to loop.
-+ * This might happen with URG data.
-+ */
-+ if (!skb_queue_empty(&sk->sk_receive_queue))
-+ break;
- sk_wait_data(sk, &timeo);
- if (signal_pending(current)) {
- ret = sock_intr_errno(timeo);
---
-2.11.0
-
diff --git a/debian/patches/bugfix/all/tcp-take-care-of-truncations-done-by-sk_filter.patch b/debian/patches/bugfix/all/tcp-take-care-of-truncations-done-by-sk_filter.patch
deleted file mode 100644
index 08e41d8..0000000
--- a/debian/patches/bugfix/all/tcp-take-care-of-truncations-done-by-sk_filter.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Thu, 10 Nov 2016 13:12:35 -0800
-Subject: tcp: take care of truncations done by sk_filter()
-Origin: https://git.kernel.org/linus/ac6e780070e30e4c35bd395acfe9191e6268bdd3
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-8645
-
-With syzkaller help, Marco Grassi found a bug in TCP stack,
-crashing in tcp_collapse()
-
-Root cause is that sk_filter() can truncate the incoming skb,
-but TCP stack was not really expecting this to happen.
-It probably was expecting a simple DROP or ACCEPT behavior.
-
-We first need to make sure no part of TCP header could be removed.
-Then we need to adjust TCP_SKB_CB(skb)->end_seq
-
-Many thanks to syzkaller team and Marco for giving us a reproducer.
-
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Reported-by: Marco Grassi <marco.gra at gmail.com>
-Reported-by: Vladis Dronov <vdronov at redhat.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.16: adjust context]
----
- include/net/tcp.h | 1 +
- net/ipv4/tcp_ipv4.c | 19 ++++++++++++++++++-
- net/ipv6/tcp_ipv6.c | 6 ++++--
- 3 files changed, 23 insertions(+), 3 deletions(-)
-
---- a/include/net/tcp.h
-+++ b/include/net/tcp.h
-@@ -1053,6 +1053,7 @@ static inline void tcp_prequeue_init(str
- }
-
- bool tcp_prequeue(struct sock *sk, struct sk_buff *skb);
-+int tcp_filter(struct sock *sk, struct sk_buff *skb);
-
- #undef STATE_TRACE
-
---- a/net/ipv4/tcp_ipv4.c
-+++ b/net/ipv4/tcp_ipv4.c
-@@ -1697,6 +1697,21 @@ bool tcp_prequeue(struct sock *sk, struc
- }
- EXPORT_SYMBOL(tcp_prequeue);
-
-+int tcp_filter(struct sock *sk, struct sk_buff *skb)
-+{
-+ struct tcphdr *th = (struct tcphdr *)skb->data;
-+ unsigned int eaten = skb->len;
-+ int err;
-+
-+ err = sk_filter_trim_cap(sk, skb, th->doff * 4);
-+ if (!err) {
-+ eaten -= skb->len;
-+ TCP_SKB_CB(skb)->end_seq -= eaten;
-+ }
-+ return err;
-+}
-+EXPORT_SYMBOL(tcp_filter);
-+
- /*
- * From tcp_input.c
- */
-@@ -1760,8 +1775,10 @@ process:
- goto discard_and_relse;
- nf_reset(skb);
-
-- if (sk_filter(sk, skb))
-+ if (tcp_filter(sk, skb))
- goto discard_and_relse;
-+ th = (const struct tcphdr *)skb->data;
-+ iph = ip_hdr(skb);
-
- sk_mark_napi_id(sk, skb);
- skb->dev = NULL;
---- a/net/ipv6/tcp_ipv6.c
-+++ b/net/ipv6/tcp_ipv6.c
-@@ -1359,7 +1359,7 @@ static int tcp_v6_do_rcv(struct sock *sk
- goto discard;
- #endif
-
-- if (sk_filter(sk, skb))
-+ if (tcp_filter(sk, skb))
- goto discard;
-
- /*
-@@ -1531,8 +1531,10 @@ process:
- if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
- goto discard_and_relse;
-
-- if (sk_filter(sk, skb))
-+ if (tcp_filter(sk, skb))
- goto discard_and_relse;
-+ th = (const struct tcphdr *)skb->data;
-+ hdr = ipv6_hdr(skb);
-
- sk_mark_napi_id(sk, skb);
- skb->dev = NULL;
diff --git a/debian/patches/bugfix/all/tmpfs-clear-s_isgid-when-setting-posix-acls.patch b/debian/patches/bugfix/all/tmpfs-clear-s_isgid-when-setting-posix-acls.patch
deleted file mode 100644
index 3631cae..0000000
--- a/debian/patches/bugfix/all/tmpfs-clear-s_isgid-when-setting-posix-acls.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From: Gu Zheng <guzheng1 at huawei.com>
-Date: Mon, 9 Jan 2017 09:34:48 +0800
-Subject: tmpfs: clear S_ISGID when setting posix ACLs
-Origin: https://git.kernel.org/linus/497de07d89c1410d76a15bec2bb41f24a2a89f31
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5551
-
-This change was missed the tmpfs modification in In CVE-2016-7097
-commit 073931017b49 ("posix_acl: Clear SGID bit when setting
-file permissions")
-It can test by xfstest generic/375, which failed to clear
-setgid bit in the following test case on tmpfs:
-
- touch $testfile
- chown 100:100 $testfile
- chmod 2755 $testfile
- _runas -u 100 -g 101 -- setfacl -m u::rwx,g::rwx,o::rwx $testfile
-
-Signed-off-by: Gu Zheng <guzheng1 at huawei.com>
-Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
----
- fs/posix_acl.c | 9 ++++-----
- 1 file changed, 4 insertions(+), 5 deletions(-)
-
---- a/fs/posix_acl.c
-+++ b/fs/posix_acl.c
-@@ -904,11 +904,10 @@ int simple_set_acl(struct inode *inode,
- int error;
-
- if (type == ACL_TYPE_ACCESS) {
-- error = posix_acl_equiv_mode(acl, &inode->i_mode);
-- if (error < 0)
-- return 0;
-- if (error == 0)
-- acl = NULL;
-+ error = posix_acl_update_mode(inode,
-+ &inode->i_mode, &acl);
-+ if (error)
-+ return error;
- }
-
- inode->i_ctime = CURRENT_TIME;
diff --git a/debian/patches/bugfix/all/tty-n_hdlc-get-rid-of-racy-n_hdlc.tbuf.patch b/debian/patches/bugfix/all/tty-n_hdlc-get-rid-of-racy-n_hdlc.tbuf.patch
deleted file mode 100644
index f7d6f81..0000000
--- a/debian/patches/bugfix/all/tty-n_hdlc-get-rid-of-racy-n_hdlc.tbuf.patch
+++ /dev/null
@@ -1,314 +0,0 @@
-From: Alexander Popov <alex.popov at linux.com>
-Date: Tue, 28 Feb 2017 19:54:40 +0300
-Subject: tty: n_hdlc: get rid of racy n_hdlc.tbuf
-Origin: https://git.kernel.org/cgit/linux/kernel/git/gregkh/tty.git/commit/?id=82f2341c94d270421f383641b7cd670e474db56b
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-2636
-
-Currently N_HDLC line discipline uses a self-made singly linked list for
-data buffers and has n_hdlc.tbuf pointer for buffer retransmitting after
-an error.
-
-The commit be10eb7589337e5defbe214dae038a53dd21add8
-("tty: n_hdlc add buffer flushing") introduced racy access to n_hdlc.tbuf.
-After tx error concurrent flush_tx_queue() and n_hdlc_send_frames() can put
-one data buffer to tx_free_buf_list twice. That causes double free in
-n_hdlc_release().
-
-Let's use standard kernel linked list and get rid of n_hdlc.tbuf:
-in case of tx error put current data buffer after the head of tx_buf_list.
-
-Signed-off-by: Alexander Popov <alex.popov at linux.com>
-Cc: stable <stable at vger.kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
----
- drivers/tty/n_hdlc.c | 132 +++++++++++++++++++++++++++------------------------
- 1 file changed, 69 insertions(+), 63 deletions(-)
-
-diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
-index 1bacbc3b19a0..e94aea8c0d05 100644
---- a/drivers/tty/n_hdlc.c
-+++ b/drivers/tty/n_hdlc.c
-@@ -114,7 +114,7 @@
- #define DEFAULT_TX_BUF_COUNT 3
-
- struct n_hdlc_buf {
-- struct n_hdlc_buf *link;
-+ struct list_head list_item;
- int count;
- char buf[1];
- };
-@@ -122,8 +122,7 @@ struct n_hdlc_buf {
- #define N_HDLC_BUF_SIZE (sizeof(struct n_hdlc_buf) + maxframe)
-
- struct n_hdlc_buf_list {
-- struct n_hdlc_buf *head;
-- struct n_hdlc_buf *tail;
-+ struct list_head list;
- int count;
- spinlock_t spinlock;
- };
-@@ -136,7 +135,6 @@ struct n_hdlc_buf_list {
- * @backup_tty - TTY to use if tty gets closed
- * @tbusy - reentrancy flag for tx wakeup code
- * @woke_up - FIXME: describe this field
-- * @tbuf - currently transmitting tx buffer
- * @tx_buf_list - list of pending transmit frame buffers
- * @rx_buf_list - list of received frame buffers
- * @tx_free_buf_list - list unused transmit frame buffers
-@@ -149,7 +147,6 @@ struct n_hdlc {
- struct tty_struct *backup_tty;
- int tbusy;
- int woke_up;
-- struct n_hdlc_buf *tbuf;
- struct n_hdlc_buf_list tx_buf_list;
- struct n_hdlc_buf_list rx_buf_list;
- struct n_hdlc_buf_list tx_free_buf_list;
-@@ -159,6 +156,8 @@ struct n_hdlc {
- /*
- * HDLC buffer list manipulation functions
- */
-+static void n_hdlc_buf_return(struct n_hdlc_buf_list *buf_list,
-+ struct n_hdlc_buf *buf);
- static void n_hdlc_buf_put(struct n_hdlc_buf_list *list,
- struct n_hdlc_buf *buf);
- static struct n_hdlc_buf *n_hdlc_buf_get(struct n_hdlc_buf_list *list);
-@@ -208,16 +207,9 @@ static void flush_tx_queue(struct tty_struct *tty)
- {
- struct n_hdlc *n_hdlc = tty2n_hdlc(tty);
- struct n_hdlc_buf *buf;
-- unsigned long flags;
-
- while ((buf = n_hdlc_buf_get(&n_hdlc->tx_buf_list)))
- n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, buf);
-- spin_lock_irqsave(&n_hdlc->tx_buf_list.spinlock, flags);
-- if (n_hdlc->tbuf) {
-- n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, n_hdlc->tbuf);
-- n_hdlc->tbuf = NULL;
-- }
-- spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock, flags);
- }
-
- static struct tty_ldisc_ops n_hdlc_ldisc = {
-@@ -283,7 +275,6 @@ static void n_hdlc_release(struct n_hdlc *n_hdlc)
- } else
- break;
- }
-- kfree(n_hdlc->tbuf);
- kfree(n_hdlc);
-
- } /* end of n_hdlc_release() */
-@@ -402,13 +393,7 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty)
- n_hdlc->woke_up = 0;
- spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock, flags);
-
-- /* get current transmit buffer or get new transmit */
-- /* buffer from list of pending transmit buffers */
--
-- tbuf = n_hdlc->tbuf;
-- if (!tbuf)
-- tbuf = n_hdlc_buf_get(&n_hdlc->tx_buf_list);
--
-+ tbuf = n_hdlc_buf_get(&n_hdlc->tx_buf_list);
- while (tbuf) {
- if (debuglevel >= DEBUG_LEVEL_INFO)
- printk("%s(%d)sending frame %p, count=%d\n",
-@@ -420,7 +405,7 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty)
-
- /* rollback was possible and has been done */
- if (actual == -ERESTARTSYS) {
-- n_hdlc->tbuf = tbuf;
-+ n_hdlc_buf_return(&n_hdlc->tx_buf_list, tbuf);
- break;
- }
- /* if transmit error, throw frame away by */
-@@ -435,10 +420,7 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty)
-
- /* free current transmit buffer */
- n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, tbuf);
--
-- /* this tx buffer is done */
-- n_hdlc->tbuf = NULL;
--
-+
- /* wait up sleeping writers */
- wake_up_interruptible(&tty->write_wait);
-
-@@ -448,10 +430,12 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty)
- if (debuglevel >= DEBUG_LEVEL_INFO)
- printk("%s(%d)frame %p pending\n",
- __FILE__,__LINE__,tbuf);
--
-- /* buffer not accepted by driver */
-- /* set this buffer as pending buffer */
-- n_hdlc->tbuf = tbuf;
-+
-+ /*
-+ * the buffer was not accepted by driver,
-+ * return it back into tx queue
-+ */
-+ n_hdlc_buf_return(&n_hdlc->tx_buf_list, tbuf);
- break;
- }
- }
-@@ -749,7 +733,8 @@ static int n_hdlc_tty_ioctl(struct tty_struct *tty, struct file *file,
- int error = 0;
- int count;
- unsigned long flags;
--
-+ struct n_hdlc_buf *buf = NULL;
-+
- if (debuglevel >= DEBUG_LEVEL_INFO)
- printk("%s(%d)n_hdlc_tty_ioctl() called %d\n",
- __FILE__,__LINE__,cmd);
-@@ -763,8 +748,10 @@ static int n_hdlc_tty_ioctl(struct tty_struct *tty, struct file *file,
- /* report count of read data available */
- /* in next available frame (if any) */
- spin_lock_irqsave(&n_hdlc->rx_buf_list.spinlock,flags);
-- if (n_hdlc->rx_buf_list.head)
-- count = n_hdlc->rx_buf_list.head->count;
-+ buf = list_first_entry_or_null(&n_hdlc->rx_buf_list.list,
-+ struct n_hdlc_buf, list_item);
-+ if (buf)
-+ count = buf->count;
- else
- count = 0;
- spin_unlock_irqrestore(&n_hdlc->rx_buf_list.spinlock,flags);
-@@ -776,8 +763,10 @@ static int n_hdlc_tty_ioctl(struct tty_struct *tty, struct file *file,
- count = tty_chars_in_buffer(tty);
- /* add size of next output frame in queue */
- spin_lock_irqsave(&n_hdlc->tx_buf_list.spinlock,flags);
-- if (n_hdlc->tx_buf_list.head)
-- count += n_hdlc->tx_buf_list.head->count;
-+ buf = list_first_entry_or_null(&n_hdlc->tx_buf_list.list,
-+ struct n_hdlc_buf, list_item);
-+ if (buf)
-+ count += buf->count;
- spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock,flags);
- error = put_user(count, (int __user *)arg);
- break;
-@@ -825,14 +814,14 @@ static unsigned int n_hdlc_tty_poll(struct tty_struct *tty, struct file *filp,
- poll_wait(filp, &tty->write_wait, wait);
-
- /* set bits for operations that won't block */
-- if (n_hdlc->rx_buf_list.head)
-+ if (!list_empty(&n_hdlc->rx_buf_list.list))
- mask |= POLLIN | POLLRDNORM; /* readable */
- if (test_bit(TTY_OTHER_CLOSED, &tty->flags))
- mask |= POLLHUP;
- if (tty_hung_up_p(filp))
- mask |= POLLHUP;
- if (!tty_is_writelocked(tty) &&
-- n_hdlc->tx_free_buf_list.head)
-+ !list_empty(&n_hdlc->tx_free_buf_list.list))
- mask |= POLLOUT | POLLWRNORM; /* writable */
- }
- return mask;
-@@ -856,7 +845,12 @@ static struct n_hdlc *n_hdlc_alloc(void)
- spin_lock_init(&n_hdlc->tx_free_buf_list.spinlock);
- spin_lock_init(&n_hdlc->rx_buf_list.spinlock);
- spin_lock_init(&n_hdlc->tx_buf_list.spinlock);
--
-+
-+ INIT_LIST_HEAD(&n_hdlc->rx_free_buf_list.list);
-+ INIT_LIST_HEAD(&n_hdlc->tx_free_buf_list.list);
-+ INIT_LIST_HEAD(&n_hdlc->rx_buf_list.list);
-+ INIT_LIST_HEAD(&n_hdlc->tx_buf_list.list);
-+
- /* allocate free rx buffer list */
- for(i=0;i<DEFAULT_RX_BUF_COUNT;i++) {
- buf = kmalloc(N_HDLC_BUF_SIZE, GFP_KERNEL);
-@@ -884,53 +878,65 @@ static struct n_hdlc *n_hdlc_alloc(void)
- } /* end of n_hdlc_alloc() */
-
- /**
-+ * n_hdlc_buf_return - put the HDLC buffer after the head of the specified list
-+ * @buf_list - pointer to the buffer list
-+ * @buf - pointer to the buffer
-+ */
-+static void n_hdlc_buf_return(struct n_hdlc_buf_list *buf_list,
-+ struct n_hdlc_buf *buf)
-+{
-+ unsigned long flags;
-+
-+ spin_lock_irqsave(&buf_list->spinlock, flags);
-+
-+ list_add(&buf->list_item, &buf_list->list);
-+ buf_list->count++;
-+
-+ spin_unlock_irqrestore(&buf_list->spinlock, flags);
-+}
-+
-+/**
- * n_hdlc_buf_put - add specified HDLC buffer to tail of specified list
-- * @list - pointer to buffer list
-+ * @buf_list - pointer to buffer list
- * @buf - pointer to buffer
- */
--static void n_hdlc_buf_put(struct n_hdlc_buf_list *list,
-+static void n_hdlc_buf_put(struct n_hdlc_buf_list *buf_list,
- struct n_hdlc_buf *buf)
- {
- unsigned long flags;
-- spin_lock_irqsave(&list->spinlock,flags);
--
-- buf->link=NULL;
-- if (list->tail)
-- list->tail->link = buf;
-- else
-- list->head = buf;
-- list->tail = buf;
-- (list->count)++;
--
-- spin_unlock_irqrestore(&list->spinlock,flags);
--
-+
-+ spin_lock_irqsave(&buf_list->spinlock, flags);
-+
-+ list_add_tail(&buf->list_item, &buf_list->list);
-+ buf_list->count++;
-+
-+ spin_unlock_irqrestore(&buf_list->spinlock, flags);
- } /* end of n_hdlc_buf_put() */
-
- /**
- * n_hdlc_buf_get - remove and return an HDLC buffer from list
-- * @list - pointer to HDLC buffer list
-+ * @buf_list - pointer to HDLC buffer list
- *
- * Remove and return an HDLC buffer from the head of the specified HDLC buffer
- * list.
- * Returns a pointer to HDLC buffer if available, otherwise %NULL.
- */
--static struct n_hdlc_buf* n_hdlc_buf_get(struct n_hdlc_buf_list *list)
-+static struct n_hdlc_buf *n_hdlc_buf_get(struct n_hdlc_buf_list *buf_list)
- {
- unsigned long flags;
- struct n_hdlc_buf *buf;
-- spin_lock_irqsave(&list->spinlock,flags);
--
-- buf = list->head;
-+
-+ spin_lock_irqsave(&buf_list->spinlock, flags);
-+
-+ buf = list_first_entry_or_null(&buf_list->list,
-+ struct n_hdlc_buf, list_item);
- if (buf) {
-- list->head = buf->link;
-- (list->count)--;
-+ list_del(&buf->list_item);
-+ buf_list->count--;
- }
-- if (!list->head)
-- list->tail = NULL;
--
-- spin_unlock_irqrestore(&list->spinlock,flags);
-+
-+ spin_unlock_irqrestore(&buf_list->spinlock, flags);
- return buf;
--
- } /* end of n_hdlc_buf_get() */
-
- static char hdlc_banner[] __initdata =
---
-2.11.0
-
diff --git a/debian/patches/bugfix/all/tty-prevent-ldisc-drivers-from-re-using-stale-tty-fi.patch b/debian/patches/bugfix/all/tty-prevent-ldisc-drivers-from-re-using-stale-tty-fi.patch
deleted file mode 100644
index 5e8eac3..0000000
--- a/debian/patches/bugfix/all/tty-prevent-ldisc-drivers-from-re-using-stale-tty-fi.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From: Peter Hurley <peter at hurleysoftware.com>
-Date: Fri, 27 Nov 2015 14:30:21 -0500
-Subject: tty: Prevent ldisc drivers from re-using stale tty fields
-Origin: https://git.kernel.org/linus/dd42bf1197144ede075a9d4793123f7689e164bc
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2015-8964
-
-Line discipline drivers may mistakenly misuse ldisc-related fields
-when initializing. For example, a failure to initialize tty->receive_room
-in the N_GIGASET_M101 line discipline was recently found and fixed [1].
-Now, the N_X25 line discipline has been discovered accessing the previous
-line discipline's already-freed private data [2].
-
-Harden the ldisc interface against misuse by initializing revelant
-tty fields before instancing the new line discipline.
-
-[1]
- commit fd98e9419d8d622a4de91f76b306af6aa627aa9c
- Author: Tilman Schmidt <tilman at imap.cc>
- Date: Tue Jul 14 00:37:13 2015 +0200
-
- isdn/gigaset: reset tty->receive_room when attaching ser_gigaset
-
-[2] Report from Sasha Levin <sasha.levin at oracle.com>
- [ 634.336761] ==================================================================
- [ 634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0
- [ 634.339558] Read of size 4 by task syzkaller_execu/8981
- [ 634.340359] =============================================================================
- [ 634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected
- ...
- [ 634.405018] Call Trace:
- [ 634.405277] dump_stack (lib/dump_stack.c:52)
- [ 634.405775] print_trailer (mm/slub.c:655)
- [ 634.406361] object_err (mm/slub.c:662)
- [ 634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236)
- [ 634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279)
- [ 634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1))
- [ 634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447)
- [ 634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567)
- [ 634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879)
- [ 634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607)
- [ 634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613)
- [ 634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188)
-
-Cc: Tilman Schmidt <tilman at imap.cc>
-Cc: Sasha Levin <sasha.levin at oracle.com>
-Signed-off-by: Peter Hurley <peter at hurleysoftware.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
----
- drivers/tty/tty_ldisc.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
---- a/drivers/tty/tty_ldisc.c
-+++ b/drivers/tty/tty_ldisc.c
-@@ -414,6 +414,10 @@ EXPORT_SYMBOL_GPL(tty_ldisc_flush);
- * they are not on hot paths so a little discipline won't do
- * any harm.
- *
-+ * The line discipline-related tty_struct fields are reset to
-+ * prevent the ldisc driver from re-using stale information for
-+ * the new ldisc instance.
-+ *
- * Locking: takes termios_rwsem
- */
-
-@@ -422,6 +426,9 @@ static void tty_set_termios_ldisc(struct
- down_write(&tty->termios_rwsem);
- tty->termios.c_line = num;
- up_write(&tty->termios_rwsem);
-+
-+ tty->disc_data = NULL;
-+ tty->receive_room = 0;
- }
-
- /**
diff --git a/debian/patches/bugfix/all/usb-gadget-f_fs-fix-use-after-free.patch b/debian/patches/bugfix/all/usb-gadget-f_fs-fix-use-after-free.patch
deleted file mode 100644
index f55c431..0000000
--- a/debian/patches/bugfix/all/usb-gadget-f_fs-fix-use-after-free.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From: Lars-Peter Clausen <lars at metafoo.de>
-Date: Thu, 14 Apr 2016 17:01:17 +0200
-Subject: usb: gadget: f_fs: Fix use-after-free
-Origin: https://git.kernel.org/linus/38740a5b87d53ceb89eb2c970150f6e94e00373a
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-7912
-
-When using asynchronous read or write operations on the USB endpoints the
-issuer of the IO request is notified by calling the ki_complete() callback
-of the submitted kiocb when the URB has been completed.
-
-Calling this ki_complete() callback will free kiocb. Make sure that the
-structure is no longer accessed beyond that point, otherwise undefined
-behaviour might occur.
-
-Fixes: 2e4c7553cd6f ("usb: gadget: f_fs: add aio support")
-Cc: <stable at vger.kernel.org> # v3.15+
-Signed-off-by: Lars-Peter Clausen <lars at metafoo.de>
-Signed-off-by: Felipe Balbi <felipe.balbi at linux.intel.com>
-[bwh: Backported to 3.16:
- - Adjust filename
- - We only use kiocb::private, not kiocb::ki_flags]
----
---- a/drivers/usb/gadget/f_fs.c
-+++ b/drivers/usb/gadget/f_fs.c
-@@ -669,7 +669,6 @@ static void ffs_user_copy_worker(struct
-
- usb_ep_free_request(io_data->ep, io_data->req);
-
-- io_data->kiocb->private = NULL;
- if (io_data->read)
- kfree(io_data->iovec);
- kfree(io_data->buf);
diff --git a/debian/patches/bugfix/all/usb-serial-kl5kusb105-fix-line-state-error-handling.patch b/debian/patches/bugfix/all/usb-serial-kl5kusb105-fix-line-state-error-handling.patch
deleted file mode 100644
index bb224f3..0000000
--- a/debian/patches/bugfix/all/usb-serial-kl5kusb105-fix-line-state-error-handling.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From: Johan Hovold <johan at kernel.org>
-Date: Tue, 10 Jan 2017 12:05:37 +0100
-Subject: USB: serial: kl5kusb105: fix line-state error handling
-Origin: https://git.kernel.org/linus/146cc8a17a3b4996f6805ee5c080e7101277c410
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5549
-
-The current implementation failed to detect short transfers when
-attempting to read the line state, and also, to make things worse,
-logged the content of the uninitialised heap transfer buffer.
-
-Fixes: abf492e7b3ae ("USB: kl5kusb105: fix DMA buffers on stack")
-Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
-Cc: stable <stable at vger.kernel.org>
-Reviewed-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
-Signed-off-by: Johan Hovold <johan at kernel.org>
----
- drivers/usb/serial/kl5kusb105.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
---- a/drivers/usb/serial/kl5kusb105.c
-+++ b/drivers/usb/serial/kl5kusb105.c
-@@ -195,10 +195,11 @@ static int klsi_105_get_line_state(struc
- status_buf, KLSI_STATUSBUF_LEN,
- 10000
- );
-- if (rc < 0)
-- dev_err(&port->dev, "Reading line status failed (error = %d)\n",
-- rc);
-- else {
-+ if (rc != KLSI_STATUSBUF_LEN) {
-+ dev_err(&port->dev, "reading line status failed: %d\n", rc);
-+ if (rc >= 0)
-+ rc = -EIO;
-+ } else {
- status = get_unaligned_le16(status_buf);
-
- dev_info(&port->serial->dev->dev, "read status %x %x\n",
diff --git a/debian/patches/bugfix/all/xfs-propagate-dentry-down-to-inode_change_ok.patch b/debian/patches/bugfix/all/xfs-propagate-dentry-down-to-inode_change_ok.patch
deleted file mode 100644
index 371d9e9..0000000
--- a/debian/patches/bugfix/all/xfs-propagate-dentry-down-to-inode_change_ok.patch
+++ /dev/null
@@ -1,210 +0,0 @@
-From: Jan Kara <jack at suse.cz>
-Date: Thu, 26 May 2016 14:46:43 +0200
-Subject: xfs: Propagate dentry down to inode_change_ok()
-Origin: https://git.kernel.org/linus/69bca80744eef58fa155e8042996b968fec17b26
-
-To avoid clearing of capabilities or security related extended
-attributes too early, inode_change_ok() will need to take dentry instead
-of inode. Propagate dentry down to functions calling inode_change_ok().
-This is rather straightforward except for xfs_set_mode() function which
-does not have dentry easily available. Luckily that function does not
-call inode_change_ok() anyway so we just have to do a little dance with
-function prototypes.
-
-Acked-by: Dave Chinner <dchinner at redhat.com>
-Reviewed-by: Christoph Hellwig <hch at lst.de>
-Signed-off-by: Jan Kara <jack at suse.cz>
-[bwh: Backported to 3.16:
- - Keep XFS_ERROR() calls
- - Adjust context, indentation]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- fs/xfs/xfs_file.c | 2 +-
- fs/xfs/xfs_inode.c | 2 +-
- fs/xfs/xfs_ioctl.c | 2 +-
- fs/xfs/xfs_iops.c | 94 ++++++++++++++++++++++++++++++++++++------------------
- fs/xfs/xfs_iops.h | 3 +-
- 5 files changed, 68 insertions(+), 35 deletions(-)
-
---- a/fs/xfs/xfs_file.c
-+++ b/fs/xfs/xfs_file.c
-@@ -862,7 +862,7 @@ xfs_file_fallocate(
-
- iattr.ia_valid = ATTR_SIZE;
- iattr.ia_size = new_size;
-- error = xfs_setattr_size(ip, &iattr);
-+ error = xfs_vn_setattr_size(file->f_dentry, &iattr);
- }
-
- out_unlock:
---- a/fs/xfs/xfs_inode.c
-+++ b/fs/xfs/xfs_inode.c
-@@ -1776,7 +1776,7 @@ xfs_inactive_truncate(
- /*
- * Log the inode size first to prevent stale data exposure in the event
- * of a system crash before the truncate completes. See the related
-- * comment in xfs_setattr_size() for details.
-+ * comment in xfs_vn_setattr_size() for details.
- */
- ip->i_d.di_size = 0;
- xfs_trans_log_inode(tp, ip, XFS_ILOG_CORE);
---- a/fs/xfs/xfs_ioctl.c
-+++ b/fs/xfs/xfs_ioctl.c
-@@ -717,7 +717,7 @@ xfs_ioc_space(
- iattr.ia_valid = ATTR_SIZE;
- iattr.ia_size = bf->l_start;
-
-- error = xfs_setattr_size(ip, &iattr);
-+ error = xfs_vn_setattr_size(filp->f_dentry, &iattr);
- if (!error)
- clrprealloc = true;
- break;
---- a/fs/xfs/xfs_iops.c
-+++ b/fs/xfs/xfs_iops.c
-@@ -525,6 +525,30 @@ xfs_setattr_time(
- }
- }
-
-+static int
-+xfs_vn_change_ok(
-+ struct dentry *dentry,
-+ struct iattr *iattr)
-+{
-+ struct inode *inode = d_inode(dentry);
-+ struct xfs_inode *ip = XFS_I(inode);
-+ struct xfs_mount *mp = ip->i_mount;
-+
-+ if (mp->m_flags & XFS_MOUNT_RDONLY)
-+ return XFS_ERROR(EROFS);
-+
-+ if (XFS_FORCED_SHUTDOWN(mp))
-+ return XFS_ERROR(EIO);
-+
-+ return XFS_ERROR(-inode_change_ok(inode, iattr));
-+}
-+
-+/*
-+ * Set non-size attributes of an inode.
-+ *
-+ * Caution: The caller of this function is responsible for calling
-+ * inode_change_ok() or otherwise verifying the change is fine.
-+ */
- int
- xfs_setattr_nonsize(
- struct xfs_inode *ip,
-@@ -541,21 +565,6 @@ xfs_setattr_nonsize(
- struct xfs_dquot *udqp = NULL, *gdqp = NULL;
- struct xfs_dquot *olddquot1 = NULL, *olddquot2 = NULL;
-
-- trace_xfs_setattr(ip);
--
-- /* If acls are being inherited, we already have this checked */
-- if (!(flags & XFS_ATTR_NOACL)) {
-- if (mp->m_flags & XFS_MOUNT_RDONLY)
-- return XFS_ERROR(EROFS);
--
-- if (XFS_FORCED_SHUTDOWN(mp))
-- return XFS_ERROR(EIO);
--
-- error = -inode_change_ok(inode, iattr);
-- if (error)
-- return XFS_ERROR(error);
-- }
--
- ASSERT((mask & ATTR_SIZE) == 0);
-
- /*
-@@ -729,8 +738,27 @@ out_dqrele:
- return error;
- }
-
-+int
-+xfs_vn_setattr_nonsize(
-+ struct dentry *dentry,
-+ struct iattr *iattr)
-+{
-+ struct xfs_inode *ip = XFS_I(d_inode(dentry));
-+ int error;
-+
-+ trace_xfs_setattr(ip);
-+
-+ error = xfs_vn_change_ok(dentry, iattr);
-+ if (error)
-+ return error;
-+ return xfs_setattr_nonsize(ip, iattr, 0);
-+}
-+
- /*
- * Truncate file. Must have write permission and not be a directory.
-+ *
-+ * Caution: The caller of this function is responsible for calling
-+ * inode_change_ok() or otherwise verifying the change is fine.
- */
- int
- xfs_setattr_size(
-@@ -746,18 +774,6 @@ xfs_setattr_size(
- uint commit_flags = 0;
- bool did_zeroing = false;
-
-- trace_xfs_setattr(ip);
--
-- if (mp->m_flags & XFS_MOUNT_RDONLY)
-- return XFS_ERROR(EROFS);
--
-- if (XFS_FORCED_SHUTDOWN(mp))
-- return XFS_ERROR(EIO);
--
-- error = -inode_change_ok(inode, iattr);
-- if (error)
-- return XFS_ERROR(error);
--
- ASSERT(xfs_isilocked(ip, XFS_IOLOCK_EXCL));
- ASSERT(xfs_isilocked(ip, XFS_MMAPLOCK_EXCL));
- ASSERT(S_ISREG(ip->i_d.di_mode));
-@@ -929,6 +945,22 @@ out_trans_cancel:
- goto out_unlock;
- }
-
-+int
-+xfs_vn_setattr_size(
-+ struct dentry *dentry,
-+ struct iattr *iattr)
-+{
-+ struct xfs_inode *ip = XFS_I(d_inode(dentry));
-+ int error;
-+
-+ trace_xfs_setattr(ip);
-+
-+ error = xfs_vn_change_ok(dentry, iattr);
-+ if (error)
-+ return error;
-+ return xfs_setattr_size(ip, iattr);
-+}
-+
- STATIC int
- xfs_vn_setattr(
- struct dentry *dentry,
-@@ -939,10 +971,10 @@ xfs_vn_setattr(
-
- if (iattr->ia_valid & ATTR_SIZE) {
- xfs_ilock(ip, XFS_IOLOCK_EXCL | XFS_MMAPLOCK_EXCL);
-- error = xfs_setattr_size(ip, iattr);
-+ error = xfs_vn_setattr_size(dentry, iattr);
- xfs_iunlock(ip, XFS_IOLOCK_EXCL | XFS_MMAPLOCK_EXCL);
- } else {
-- error = xfs_setattr_nonsize(ip, iattr, 0);
-+ error = xfs_vn_setattr_nonsize(dentry, iattr);
- }
-
- return -error;
---- a/fs/xfs/xfs_iops.h
-+++ b/fs/xfs/xfs_iops.h
-@@ -34,6 +34,7 @@ extern void xfs_setup_inode(struct xfs_i
-
- extern int xfs_setattr_nonsize(struct xfs_inode *ip, struct iattr *vap,
- int flags);
--extern int xfs_setattr_size(struct xfs_inode *ip, struct iattr *vap);
-+extern int xfs_vn_setattr_nonsize(struct dentry *dentry, struct iattr *vap);
-+extern int xfs_vn_setattr_size(struct dentry *dentry, struct iattr *vap);
-
- #endif /* __XFS_IOPS_H__ */
diff --git a/debian/patches/bugfix/x86/fix-potential-infoleak-in-older-kernels.patch b/debian/patches/bugfix/x86/fix-potential-infoleak-in-older-kernels.patch
deleted file mode 100644
index f37b1da..0000000
--- a/debian/patches/bugfix/x86/fix-potential-infoleak-in-older-kernels.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From: Linus Torvalds <torvalds at linux-foundation.org>
-Date: Tue, 8 Nov 2016 11:17:00 +0100
-Subject: Fix potential infoleak in older kernels
-Origin: https://git.kernel.org/linus/dc1555e670c373bfa4ca2e1e2f839d5fe2b4501a
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-9178
-
-Not upstream as it is not needed there.
-
-So a patch something like this might be a safe way to fix the
-potential infoleak in older kernels.
-
-THIS IS UNTESTED. It's a very obvious patch, though, so if it compiles
-it probably works. It just initializes the output variable with 0 in
-the inline asm description, instead of doing it in the exception
-handler.
-
-It will generate slightly worse code (a few unnecessary ALU
-operations), but it doesn't have any interactions with the exception
-handler implementation.
-
-
-Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
----
- arch/x86/include/asm/uaccess.h | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
---- a/arch/x86/include/asm/uaccess.h
-+++ b/arch/x86/include/asm/uaccess.h
-@@ -329,7 +329,7 @@ do { \
- #define __get_user_asm_u64(x, ptr, retval, errret) \
- __get_user_asm(x, ptr, retval, "q", "", "=r", errret)
- #define __get_user_asm_ex_u64(x, ptr) \
-- __get_user_asm_ex(x, ptr, "q", "", "=r")
-+ __get_user_asm_ex(x, ptr, "q", "", "=&r")
- #endif
-
- #define __get_user_size(x, ptr, size, retval, errret) \
-@@ -372,13 +372,13 @@ do { \
- __chk_user_ptr(ptr); \
- switch (size) { \
- case 1: \
-- __get_user_asm_ex(x, ptr, "b", "b", "=q"); \
-+ __get_user_asm_ex(x, ptr, "b", "b", "=&q"); \
- break; \
- case 2: \
-- __get_user_asm_ex(x, ptr, "w", "w", "=r"); \
-+ __get_user_asm_ex(x, ptr, "w", "w", "=&r"); \
- break; \
- case 4: \
-- __get_user_asm_ex(x, ptr, "l", "k", "=r"); \
-+ __get_user_asm_ex(x, ptr, "l", "k", "=&r"); \
- break; \
- case 8: \
- __get_user_asm_ex_u64(x, ptr); \
-@@ -392,7 +392,7 @@ do { \
- asm volatile("1: mov"itype" %1,%"rtype"0\n" \
- "2:\n" \
- _ASM_EXTABLE_EX(1b, 2b) \
-- : ltype(x) : "m" (__m(addr)))
-+ : ltype(x) : "m" (__m(addr)), "0" (0))
-
- #define __put_user_nocheck(x, ptr, size) \
- ({ \
diff --git a/debian/patches/bugfix/x86/kvm-fix-page-struct-leak-in-handle_vmon.patch b/debian/patches/bugfix/x86/kvm-fix-page-struct-leak-in-handle_vmon.patch
deleted file mode 100644
index c8872a6..0000000
--- a/debian/patches/bugfix/x86/kvm-fix-page-struct-leak-in-handle_vmon.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From: Paolo Bonzini <pbonzini at redhat.com>
-Date: Tue, 24 Jan 2017 11:56:21 +0100
-Subject: kvm: fix page struct leak in handle_vmon
-Origin: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit?id=06ce521af9558814b8606c0476c54497cf83a653
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-2596
-
-handle_vmon gets a reference on VMXON region page,
-but does not release it. Release the reference.
-
-Found by syzkaller; based on a patch by Dmitry.
-
-Reported-by: Dmitry Vyukov <dvyukov at google.com>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
-[bwh: Backported to 3.16: use skip_emulated_instruction()]
----
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -5949,14 +5949,20 @@ static int nested_vmx_check_vmptr(struct
- }
-
- page = nested_get_page(vcpu, vmptr);
-- if (page == NULL ||
-- *(u32 *)kmap(page) != VMCS12_REVISION) {
-+ if (page == NULL) {
- nested_vmx_failInvalid(vcpu);
-+ skip_emulated_instruction(vcpu);
-+ return 1;
-+ }
-+ if (*(u32 *)kmap(page) != VMCS12_REVISION) {
- kunmap(page);
-+ nested_release_page_clean(page);
-+ nested_vmx_failInvalid(vcpu);
- skip_emulated_instruction(vcpu);
- return 1;
- }
- kunmap(page);
-+ nested_release_page_clean(page);
- vmx->nested.vmxon_ptr = vmptr;
- break;
- case EXIT_REASON_VMCLEAR:
diff --git a/debian/patches/bugfix/x86/kvm-nvmx-allow-l1-to-intercept-software-exceptions-bp-and-of.patch b/debian/patches/bugfix/x86/kvm-nvmx-allow-l1-to-intercept-software-exceptions-bp-and-of.patch
deleted file mode 100644
index 33878e2..0000000
--- a/debian/patches/bugfix/x86/kvm-nvmx-allow-l1-to-intercept-software-exceptions-bp-and-of.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From: Jim Mattson <jmattson at google.com>
-Date: Mon, 12 Dec 2016 11:01:37 -0800
-Subject: kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF)
-Origin: https://git.kernel.org/linus/ef85b67385436ddc1998f45f1d6a210f935b3388
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-9588
-
-When L2 exits to L0 due to "exception or NMI", software exceptions
-(#BP and #OF) for which L1 has requested an intercept should be
-handled by L1 rather than L0. Previously, only hardware exceptions
-were forwarded to L1.
-
-Signed-off-by: Jim Mattson <jmattson at google.com>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
-[bwh: Backported to 3.16: adjust context]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
- arch/x86/kvm/vmx.c | 11 +++++------
- 1 file changed, 5 insertions(+), 6 deletions(-)
-
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -1073,10 +1073,10 @@ static inline int nested_cpu_has_ept(str
- return nested_cpu_has2(vmcs12, SECONDARY_EXEC_ENABLE_EPT);
- }
-
--static inline bool is_exception(u32 intr_info)
-+static inline bool is_nmi(u32 intr_info)
- {
- return (intr_info & (INTR_INFO_INTR_TYPE_MASK | INTR_INFO_VALID_MASK))
-- == (INTR_TYPE_HARD_EXCEPTION | INTR_INFO_VALID_MASK);
-+ == (INTR_TYPE_NMI_INTR | INTR_INFO_VALID_MASK);
- }
-
- static void nested_vmx_vmexit(struct kvm_vcpu *vcpu, u32 exit_reason,
-@@ -4831,7 +4831,7 @@ static int handle_exception(struct kvm_v
- if (is_machine_check(intr_info))
- return handle_machine_check(vcpu);
-
-- if ((intr_info & INTR_INFO_INTR_TYPE_MASK) == INTR_TYPE_NMI_INTR)
-+ if (is_nmi(intr_info))
- return 1; /* already handled by vmx_vcpu_run() */
-
- if (is_no_device(intr_info)) {
-@@ -6889,7 +6889,7 @@ static bool nested_vmx_exit_handled(stru
-
- switch (exit_reason) {
- case EXIT_REASON_EXCEPTION_NMI:
-- if (!is_exception(intr_info))
-+ if (is_nmi(intr_info))
- return 0;
- else if (is_page_fault(intr_info))
- return enable_ept;
-@@ -7186,8 +7186,7 @@ static void vmx_complete_atomic_exit(str
- kvm_machine_check();
-
- /* We need to handle NMIs before interrupts are enabled */
-- if ((exit_intr_info & INTR_INFO_INTR_TYPE_MASK) == INTR_TYPE_NMI_INTR &&
-- (exit_intr_info & INTR_INFO_VALID_MASK)) {
-+ if (is_nmi(exit_intr_info)) {
- kvm_before_handle_nmi(&vmx->vcpu);
- asm("int $2");
- kvm_after_handle_nmi(&vmx->vcpu);
diff --git a/debian/patches/bugfix/x86/kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret.patch b/debian/patches/bugfix/x86/kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret.patch
deleted file mode 100644
index fe1a31a..0000000
--- a/debian/patches/bugfix/x86/kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret.patch
+++ /dev/null
@@ -1,125 +0,0 @@
-From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar at redhat.com>
-Date: Wed, 23 Nov 2016 21:15:00 +0100
-Subject: KVM: x86: drop error recovery in em_jmp_far and em_ret_far
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/2117d5398c81554fbf803f5fd1dc55eb78216c0c
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-9756
-
-em_jmp_far and em_ret_far assumed that setting IP can only fail in 64
-bit mode, but syzkaller proved otherwise (and SDM agrees).
-Code segment was restored upon failure, but it was left uninitialized
-outside of long mode, which could lead to a leak of host kernel stack.
-We could have fixed that by always saving and restoring the CS, but we
-take a simpler approach and just break any guest that manages to fail
-as the error recovery is error-prone and modern CPUs don't need emulator
-for this.
-
-Found by syzkaller:
-
- WARNING: CPU: 2 PID: 3668 at arch/x86/kvm/emulate.c:2217 em_ret_far+0x428/0x480
- Kernel panic - not syncing: panic_on_warn set ...
-
- CPU: 2 PID: 3668 Comm: syz-executor Not tainted 4.9.0-rc4+ #49
- Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
- [...]
- Call Trace:
- [...] __dump_stack lib/dump_stack.c:15
- [...] dump_stack+0xb3/0x118 lib/dump_stack.c:51
- [...] panic+0x1b7/0x3a3 kernel/panic.c:179
- [...] __warn+0x1c4/0x1e0 kernel/panic.c:542
- [...] warn_slowpath_null+0x2c/0x40 kernel/panic.c:585
- [...] em_ret_far+0x428/0x480 arch/x86/kvm/emulate.c:2217
- [...] em_ret_far_imm+0x17/0x70 arch/x86/kvm/emulate.c:2227
- [...] x86_emulate_insn+0x87a/0x3730 arch/x86/kvm/emulate.c:5294
- [...] x86_emulate_instruction+0x520/0x1ba0 arch/x86/kvm/x86.c:5545
- [...] emulate_instruction arch/x86/include/asm/kvm_host.h:1116
- [...] complete_emulated_io arch/x86/kvm/x86.c:6870
- [...] complete_emulated_mmio+0x4e9/0x710 arch/x86/kvm/x86.c:6934
- [...] kvm_arch_vcpu_ioctl_run+0x3b7a/0x5a90 arch/x86/kvm/x86.c:6978
- [...] kvm_vcpu_ioctl+0x61e/0xdd0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2557
- [...] vfs_ioctl fs/ioctl.c:43
- [...] do_vfs_ioctl+0x18c/0x1040 fs/ioctl.c:679
- [...] SYSC_ioctl fs/ioctl.c:694
- [...] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
- [...] entry_SYSCALL_64_fastpath+0x1f/0xc2
-
-Reported-by: Dmitry Vyukov <dvyukov at google.com>
-Cc: stable at vger.kernel.org
-Fixes: d1442d85cc30 ("KVM: x86: Handle errors when RIP is set during far jumps")
-Signed-off-by: Radim Krčmář <rkrcmar at redhat.com>
-[bwh: Backported to 3.16: adjust context]
----
- arch/x86/kvm/emulate.c | 36 +++++++++++-------------------------
- 1 file changed, 11 insertions(+), 25 deletions(-)
-
---- a/arch/x86/kvm/emulate.c
-+++ b/arch/x86/kvm/emulate.c
-@@ -1983,16 +1983,10 @@ static int em_iret(struct x86_emulate_ct
- static int em_jmp_far(struct x86_emulate_ctxt *ctxt)
- {
- int rc;
-- unsigned short sel, old_sel;
-- struct desc_struct old_desc, new_desc;
-- const struct x86_emulate_ops *ops = ctxt->ops;
-+ unsigned short sel;
-+ struct desc_struct new_desc;
- u8 cpl = ctxt->ops->cpl(ctxt);
-
-- /* Assignment of RIP may only fail in 64-bit mode */
-- if (ctxt->mode == X86EMUL_MODE_PROT64)
-- ops->get_segment(ctxt, &old_sel, &old_desc, NULL,
-- VCPU_SREG_CS);
--
- memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
-
- rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl, false,
-@@ -2001,12 +1995,10 @@ static int em_jmp_far(struct x86_emulate
- return rc;
-
- rc = assign_eip_far(ctxt, ctxt->src.val, new_desc.l);
-- if (rc != X86EMUL_CONTINUE) {
-- WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64);
-- /* assigning eip failed; restore the old cs */
-- ops->set_segment(ctxt, old_sel, &old_desc, 0, VCPU_SREG_CS);
-- return rc;
-- }
-+ /* Error handling is not implemented. */
-+ if (rc != X86EMUL_CONTINUE)
-+ return X86EMUL_UNHANDLEABLE;
-+
- return rc;
- }
-
-@@ -2072,14 +2064,8 @@ static int em_ret_far(struct x86_emulate
- {
- int rc;
- unsigned long eip, cs;
-- u16 old_cs;
- int cpl = ctxt->ops->cpl(ctxt);
-- struct desc_struct old_desc, new_desc;
-- const struct x86_emulate_ops *ops = ctxt->ops;
--
-- if (ctxt->mode == X86EMUL_MODE_PROT64)
-- ops->get_segment(ctxt, &old_cs, &old_desc, NULL,
-- VCPU_SREG_CS);
-+ struct desc_struct new_desc;
-
- rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
- if (rc != X86EMUL_CONTINUE)
-@@ -2095,10 +2081,10 @@ static int em_ret_far(struct x86_emulate
- if (rc != X86EMUL_CONTINUE)
- return rc;
- rc = assign_eip_far(ctxt, eip, new_desc.l);
-- if (rc != X86EMUL_CONTINUE) {
-- WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64);
-- ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS);
-- }
-+ /* Error handling is not implemented. */
-+ if (rc != X86EMUL_CONTINUE)
-+ return X86EMUL_UNHANDLEABLE;
-+
- return rc;
- }
-
diff --git a/debian/patches/bugfix/x86/kvm-x86-fix-emulation-of-mov-ss-null-selector.patch b/debian/patches/bugfix/x86/kvm-x86-fix-emulation-of-mov-ss-null-selector.patch
deleted file mode 100644
index 694088a..0000000
--- a/debian/patches/bugfix/x86/kvm-x86-fix-emulation-of-mov-ss-null-selector.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-From: Paolo Bonzini <pbonzini at redhat.com>
-Date: Thu, 12 Jan 2017 15:02:32 +0100
-Subject: KVM: x86: fix emulation of "MOV SS, null selector"
-Origin: https://git.kernel.org/linus/33ab91103b3415e12457e3104f0e4517ce12d0f3
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-2583
-
-This is CVE-2017-2583. On Intel this causes a failed vmentry because
-SS's type is neither 3 nor 7 (even though the manual says this check is
-only done for usable SS, and the dmesg splat says that SS is unusable!).
-On AMD it's worse: svm.c is confused and sets CPL to 0 in the vmcb.
-
-The fix fabricates a data segment descriptor when SS is set to a null
-selector, so that CPL and SS.DPL are set correctly in the VMCS/vmcb.
-Furthermore, only allow setting SS to a NULL selector if SS.RPL < 3;
-this in turn ensures CPL < 3 because RPL must be equal to CPL.
-
-Thanks to Andy Lutomirski and Willy Tarreau for help in analyzing
-the bug and deciphering the manuals.
-
-Reported-by: Xiaohan Zhang <zhangxiaohan1 at huawei.com>
-Fixes: 79d5b4c3cd809c770d4bf9812635647016c56011
-Cc: stable at nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
-[bwh: Backported to 3.16: adjust context]
----
- arch/x86/kvm/emulate.c | 48 ++++++++++++++++++++++++++++++++++++++----------
- 1 file changed, 38 insertions(+), 10 deletions(-)
-
---- a/arch/x86/kvm/emulate.c
-+++ b/arch/x86/kvm/emulate.c
-@@ -1441,7 +1441,6 @@ static int write_segment_descriptor(stru
- &ctxt->exception);
- }
-
--/* Does not support long mode */
- static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
- u16 selector, int seg, u8 cpl,
- bool in_task_switch,
-@@ -1477,20 +1476,34 @@ static int __load_segment_descriptor(str
-
- rpl = selector & 3;
-
-- /* NULL selector is not valid for TR, CS and SS (except for long mode) */
-- if ((seg == VCPU_SREG_CS
-- || (seg == VCPU_SREG_SS
-- && (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl))
-- || seg == VCPU_SREG_TR)
-- && null_selector)
-- goto exception;
--
- /* TR should be in GDT only */
- if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
- goto exception;
-
-- if (null_selector) /* for NULL selector skip all following checks */
-+ /* NULL selector is not valid for TR, CS and (except for long mode) SS */
-+ if (null_selector) {
-+ if (seg == VCPU_SREG_CS || seg == VCPU_SREG_TR)
-+ goto exception;
-+
-+ if (seg == VCPU_SREG_SS) {
-+ if (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl)
-+ goto exception;
-+
-+ /*
-+ * ctxt->ops->set_segment expects the CPL to be in
-+ * SS.DPL, so fake an expand-up 32-bit data segment.
-+ */
-+ seg_desc.type = 3;
-+ seg_desc.p = 1;
-+ seg_desc.s = 1;
-+ seg_desc.dpl = cpl;
-+ seg_desc.d = 1;
-+ seg_desc.g = 1;
-+ }
-+
-+ /* Skip all following checks */
- goto load;
-+ }
-
- ret = read_segment_descriptor(ctxt, selector, &seg_desc, &desc_addr);
- if (ret != X86EMUL_CONTINUE)
-@@ -1586,6 +1599,21 @@ static int load_segment_descriptor(struc
- u16 selector, int seg)
- {
- u8 cpl = ctxt->ops->cpl(ctxt);
-+
-+ /*
-+ * None of MOV, POP and LSS can load a NULL selector in CPL=3, but
-+ * they can load it at CPL<3 (Intel's manual says only LSS can,
-+ * but it's wrong).
-+ *
-+ * However, the Intel manual says that putting IST=1/DPL=3 in
-+ * an interrupt gate will result in SS=3 (the AMD manual instead
-+ * says it doesn't), so allow SS=3 in __load_segment_descriptor
-+ * and only forbid it here.
-+ */
-+ if (seg == VCPU_SREG_SS && selector == 3 &&
-+ ctxt->mode == X86EMUL_MODE_PROT64)
-+ return emulate_exception(ctxt, GP_VECTOR, 0, true);
-+
- return __load_segment_descriptor(ctxt, selector, seg, cpl, false, NULL);
- }
-
diff --git a/debian/patches/bugfix/x86/kvm-x86-introduce-segmented_write_std.patch b/debian/patches/bugfix/x86/kvm-x86-introduce-segmented_write_std.patch
deleted file mode 100644
index cdc93ef..0000000
--- a/debian/patches/bugfix/x86/kvm-x86-introduce-segmented_write_std.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From: Steve Rutherford <srutherford at google.com>
-Date: Wed, 11 Jan 2017 18:28:29 -0800
-Subject: KVM: x86: Introduce segmented_write_std
-Origin: https://git.kernel.org/linus/129a72a0d3c8e139a04512325384fe5ac119e74d
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-2584
-
-Introduces segemented_write_std.
-
-Switches from emulated reads/writes to standard read/writes in fxsave,
-fxrstor, sgdt, and sidt. This fixes CVE-2017-2584, a longstanding
-kernel memory leak.
-
-Since commit 283c95d0e389 ("KVM: x86: emulate FXSAVE and FXRSTOR",
-2016-11-09), which is luckily not yet in any final release, this would
-also be an exploitable kernel memory *write*!
-
-Reported-by: Dmitry Vyukov <dvyukov at google.com>
-Cc: stable at vger.kernel.org
-Fixes: 96051572c819194c37a8367624b285be10297eca
-Fixes: 283c95d0e3891b64087706b344a4b545d04a6e62
-Suggested-by: Paolo Bonzini <pbonzini at redhat.com>
-Signed-off-by: Steve Rutherford <srutherford at google.com>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
-[bwh: Backported to 3.16: drop changes to em_fxsave(), em_fxrstor()]
----
---- a/arch/x86/kvm/emulate.c
-+++ b/arch/x86/kvm/emulate.c
-@@ -744,6 +744,20 @@ static int segmented_read_std(struct x86
- return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception);
- }
-
-+static int segmented_write_std(struct x86_emulate_ctxt *ctxt,
-+ struct segmented_address addr,
-+ void *data,
-+ unsigned int size)
-+{
-+ int rc;
-+ ulong linear;
-+
-+ rc = linearize(ctxt, addr, size, true, &linear);
-+ if (rc != X86EMUL_CONTINUE)
-+ return rc;
-+ return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception);
-+}
-+
- /*
- * Fetch the next byte of the instruction being emulated which is pointed to
- * by ctxt->_eip, then increment ctxt->_eip.
-@@ -3270,8 +3284,8 @@ static int emulate_store_desc_ptr(struct
- }
- /* Disable writeback. */
- ctxt->dst.type = OP_NONE;
-- return segmented_write(ctxt, ctxt->dst.addr.mem,
-- &desc_ptr, 2 + ctxt->op_bytes);
-+ return segmented_write_std(ctxt, ctxt->dst.addr.mem,
-+ &desc_ptr, 2 + ctxt->op_bytes);
- }
-
- static int em_sgdt(struct x86_emulate_ctxt *ctxt)
diff --git a/debian/patches/debian/arm64-ptrace-avoid-abi-change-in-3.16.42.patch b/debian/patches/debian/arm64-ptrace-avoid-abi-change-in-3.16.42.patch
new file mode 100644
index 0000000..a798ce9
--- /dev/null
+++ b/debian/patches/debian/arm64-ptrace-avoid-abi-change-in-3.16.42.patch
@@ -0,0 +1,23 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Fri, 27 Jan 2017 04:53:54 +0000
+Subject: arm64: ptrace: Avoid ABI change in 3.16.42
+Forwarded: not-needed
+
+Commit aeb1f39d814b "arm64/ptrace: Avoid uninitialised struct padding
+in fpr_set()" added a new member to struct user_fpsimd_state, but it
+takes the place of what was padding (for 128-bit alignment). Hide
+this from genksyms.
+
+---
+--- a/arch/arm64/include/uapi/asm/ptrace.h
++++ b/arch/arm64/include/uapi/asm/ptrace.h
+@@ -75,7 +75,9 @@ struct user_fpsimd_state {
+ __uint128_t vregs[32];
+ __u32 fpsr;
+ __u32 fpcr;
++#if !defined(__KERNEL__) || !defined(__GENKSYMS__)
+ __u32 __reserved[2];
++#endif
+ };
+
+ struct user_hwdebug_state {
diff --git a/debian/patches/debian/mmc-avoid-abi-change-for-mmc-core-annotate-cmd_hdr-as-__le32.patch b/debian/patches/debian/mmc-avoid-abi-change-for-mmc-core-annotate-cmd_hdr-as-__le32.patch
new file mode 100644
index 0000000..6aef890
--- /dev/null
+++ b/debian/patches/debian/mmc-avoid-abi-change-for-mmc-core-annotate-cmd_hdr-as-__le32.patch
@@ -0,0 +1,26 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Sun, 02 Apr 2017 02:06:06 +0100
+Subject: mmc: Avoid ABI change for "mmc: core: Annotate cmd_hdr as __le32"
+Forwarded: not-needed
+
+Commit 3f2d26643595973e835e8356ea90c7c15cb1b0f1 changed the type alias
+used to declare mmc_packed::cmd_hdr from __le32 to u32, but the field
+apparently already contained little-endian words so this was not an ABI
+change. Hide it from genksyms.
+
+---
+
+--- a/drivers/mmc/card/queue.h
++++ b/drivers/mmc/card/queue.h
+@@ -24,7 +24,11 @@ enum mmc_packed_type {
+
+ struct mmc_packed {
+ struct list_head list;
++#ifdef __GENKSYMS__
++ u32 cmd_hdr[1024];
++#else
+ __le32 cmd_hdr[1024];
++#endif
+ unsigned int blocks;
+ u8 nr_entries;
+ u8 retries;
diff --git a/debian/patches/debian/net-avoid-abi-change-for-net-fix-sk_mem_reclaim_partial.patch b/debian/patches/debian/net-avoid-abi-change-for-net-fix-sk_mem_reclaim_partial.patch
new file mode 100644
index 0000000..94c0f85
--- /dev/null
+++ b/debian/patches/debian/net-avoid-abi-change-for-net-fix-sk_mem_reclaim_partial.patch
@@ -0,0 +1,80 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Subject: net: Avoid ABI change for "net: fix sk_mem_reclaim_partial()"
+Date: Sun, 02 Apr 2017 01:31:03 +0100
+Forwarded: not-needed
+
+Commit 1a24e04e4b50939daa3041682b38b82c896ca438 added a parameter to
+__sk_mem_reclaim(). Rename the modified function to
+__sk_mem_reclaim_amount() and add an ABI-compatible wrapper.
+
+---
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -1411,7 +1411,8 @@ static inline struct inode *SOCK_INODE(s
+ * Functions for memory accounting
+ */
+ int __sk_mem_schedule(struct sock *sk, int size, int kind);
+-void __sk_mem_reclaim(struct sock *sk, int amount);
++void __sk_mem_reclaim(struct sock *sk);
++void __sk_mem_reclaim_amount(struct sock *sk, int amount);
+
+ #define SK_MEM_QUANTUM ((int)PAGE_SIZE)
+ #define SK_MEM_QUANTUM_SHIFT ilog2(SK_MEM_QUANTUM)
+@@ -1452,7 +1453,7 @@ static inline void sk_mem_reclaim(struct
+ if (!sk_has_account(sk))
+ return;
+ if (sk->sk_forward_alloc >= SK_MEM_QUANTUM)
+- __sk_mem_reclaim(sk, sk->sk_forward_alloc);
++ __sk_mem_reclaim_amount(sk, sk->sk_forward_alloc);
+ }
+
+ static inline void sk_mem_reclaim_partial(struct sock *sk)
+@@ -1460,7 +1461,7 @@ static inline void sk_mem_reclaim_partia
+ if (!sk_has_account(sk))
+ return;
+ if (sk->sk_forward_alloc > SK_MEM_QUANTUM)
+- __sk_mem_reclaim(sk, sk->sk_forward_alloc - 1);
++ __sk_mem_reclaim_amount(sk, sk->sk_forward_alloc - 1);
+ }
+
+ static inline void sk_mem_charge(struct sock *sk, int size)
+@@ -1484,7 +1485,7 @@ static inline void sk_mem_uncharge(struc
+ * no need to hold that much forward allocation anyway.
+ */
+ if (unlikely(sk->sk_forward_alloc >= 1 << 21))
+- __sk_mem_reclaim(sk, 1 << 20);
++ __sk_mem_reclaim_amount(sk, 1 << 20);
+ }
+
+ static inline void sk_wmem_free_skb(struct sock *sk, struct sk_buff *skb)
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -2130,11 +2130,11 @@ suppress_allocation:
+ EXPORT_SYMBOL(__sk_mem_schedule);
+
+ /**
+- * __sk_reclaim - reclaim memory_allocated
++ * __sk_reclaim_amount - reclaim memory_allocated
+ * @sk: socket
+ * @amount: number of bytes (rounded down to a SK_MEM_QUANTUM multiple)
+ */
+-void __sk_mem_reclaim(struct sock *sk, int amount)
++void __sk_mem_reclaim_amount(struct sock *sk, int amount)
+ {
+ amount >>= SK_MEM_QUANTUM_SHIFT;
+ sk_memory_allocated_sub(sk, amount);
+@@ -2144,8 +2144,13 @@ void __sk_mem_reclaim(struct sock *sk, i
+ (sk_memory_allocated(sk) < sk_prot_mem_limits(sk, 0)))
+ sk_leave_memory_pressure(sk);
+ }
+-EXPORT_SYMBOL(__sk_mem_reclaim);
++EXPORT_SYMBOL(__sk_mem_reclaim_amount);
+
++void __sk_mem_reclaim(struct sock *sk)
++{
++ __sk_mem_reclaim_amount(sk, sk->sk_forward_alloc);
++}
++EXPORT_SYMBOL(__sk_mem_reclaim);
+
+ /*
+ * Set of default routines for initialising struct proto_ops when
diff --git a/debian/patches/debian/revert-x86-panic-replace-smp_send_stop-with-kdump-friendly-version.patch b/debian/patches/debian/revert-x86-panic-replace-smp_send_stop-with-kdump-friendly-version.patch
new file mode 100644
index 0000000..180ce4b
--- /dev/null
+++ b/debian/patches/debian/revert-x86-panic-replace-smp_send_stop-with-kdump-friendly-version.patch
@@ -0,0 +1,168 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Subject: Revert "x86/panic: replace smp_send_stop() with kdump friendly version in panic path"
+Date: Sun, 02 Apr 2017 01:09:41 +0100
+Forwarded: not-needed
+
+This reverts commit ed1d3436a46541e9343e697332260d5290c0fb6d, which
+was commit 0ee59413c967c35a6dd2dbdab605b4cd42025ee5 upstream.
+Firstly, the backport doesn't actually work (the #ifdef is wrong).
+Secondly, it causes an ABI change to smp_ops. Although OOT modules
+shouldn't be using it last time I ignored an ABI change to smp_ops
+someone complained about it breaking a certain proprietary hypervisor.
+Once the backport is fixed I can look at adapting it to not involve
+an ABI change.
+
+---
+--- a/arch/x86/include/asm/kexec.h
++++ b/arch/x86/include/asm/kexec.h
+@@ -165,7 +165,6 @@ struct kimage_arch {
+
+ typedef void crash_vmclear_fn(void);
+ extern crash_vmclear_fn __rcu *crash_vmclear_loaded_vmcss;
+-extern void kdump_nmi_shootdown_cpus(void);
+
+ #endif /* __ASSEMBLY__ */
+
+--- a/arch/x86/include/asm/smp.h
++++ b/arch/x86/include/asm/smp.h
+@@ -69,7 +69,6 @@ struct smp_ops {
+ void (*smp_cpus_done)(unsigned max_cpus);
+
+ void (*stop_other_cpus)(int wait);
+- void (*crash_stop_other_cpus)(void);
+ void (*smp_send_reschedule)(int cpu);
+
+ int (*cpu_up)(unsigned cpu, struct task_struct *tidle);
+--- a/arch/x86/kernel/crash.c
++++ b/arch/x86/kernel/crash.c
+@@ -82,7 +82,7 @@ static void kdump_nmi_callback(int cpu,
+ disable_local_APIC();
+ }
+
+-void kdump_nmi_shootdown_cpus(void)
++static void kdump_nmi_shootdown_cpus(void)
+ {
+ in_crash_kexec = 1;
+ nmi_shootdown_cpus(kdump_nmi_callback);
+@@ -90,24 +90,8 @@ void kdump_nmi_shootdown_cpus(void)
+ disable_local_APIC();
+ }
+
+-/* Override the weak function in kernel/panic.c */
+-void crash_smp_send_stop(void)
+-{
+- static int cpus_stopped;
+-
+- if (cpus_stopped)
+- return;
+-
+- if (smp_ops.crash_stop_other_cpus)
+- smp_ops.crash_stop_other_cpus();
+- else
+- smp_send_stop();
+-
+- cpus_stopped = 1;
+-}
+-
+ #else
+-void crash_smp_send_stop(void)
++static void kdump_nmi_shootdown_cpus(void)
+ {
+ /* There are no cpus to shootdown */
+ }
+@@ -126,7 +110,7 @@ void native_machine_crash_shutdown(struc
+ /* The kernel is broken so disable interrupts */
+ local_irq_disable();
+
+- crash_smp_send_stop();
++ kdump_nmi_shootdown_cpus();
+
+ /*
+ * VMCLEAR VMCSs loaded on this cpu if needed.
+--- a/arch/x86/kernel/smp.c
++++ b/arch/x86/kernel/smp.c
+@@ -31,8 +31,6 @@
+ #include <asm/apic.h>
+ #include <asm/nmi.h>
+ #include <asm/trace/irq_vectors.h>
+-#include <asm/kexec.h>
+-
+ /*
+ * Some notes on x86 processor bugs affecting SMP operation:
+ *
+@@ -349,9 +347,6 @@ struct smp_ops smp_ops = {
+ .smp_cpus_done = native_smp_cpus_done,
+
+ .stop_other_cpus = native_stop_other_cpus,
+-#if defined(CONFIG_KEXEC_CORE)
+- .crash_stop_other_cpus = kdump_nmi_shootdown_cpus,
+-#endif
+ .smp_send_reschedule = native_smp_send_reschedule,
+
+ .cpu_up = native_cpu_up,
+--- a/kernel/panic.c
++++ b/kernel/panic.c
+@@ -60,32 +60,6 @@ void __weak panic_smp_self_stop(void)
+ cpu_relax();
+ }
+
+-/*
+- * Stop other CPUs in panic. Architecture dependent code may override this
+- * with more suitable version. For example, if the architecture supports
+- * crash dump, it should save registers of each stopped CPU and disable
+- * per-CPU features such as virtualization extensions.
+- */
+-void __weak crash_smp_send_stop(void)
+-{
+- static int cpus_stopped;
+-
+- /*
+- * This function can be called twice in panic path, but obviously
+- * we execute this only once.
+- */
+- if (cpus_stopped)
+- return;
+-
+- /*
+- * Note smp_send_stop is the usual smp shutdown function, which
+- * unfortunately means it may not be hardened to work in a panic
+- * situation.
+- */
+- smp_send_stop();
+- cpus_stopped = 1;
+-}
+-
+ /**
+ * panic - halt the system
+ * @fmt: The text string to print
+@@ -143,23 +117,15 @@ void panic(const char *fmt, ...)
+ * If we want to run this after calling panic_notifiers, pass
+ * the "crash_kexec_post_notifiers" option to the kernel.
+ */
+- if (!crash_kexec_post_notifiers) {
++ if (!crash_kexec_post_notifiers)
+ crash_kexec(NULL);
+
+- /*
+- * Note smp_send_stop is the usual smp shutdown function, which
+- * unfortunately means it may not be hardened to work in a
+- * panic situation.
+- */
+- smp_send_stop();
+- } else {
+- /*
+- * If we want to do crash dump after notifier calls and
+- * kmsg_dump, we will need architecture dependent extra
+- * works in addition to stopping other CPUs.
+- */
+- crash_smp_send_stop();
+- }
++ /*
++ * Note smp_send_stop is the usual smp shutdown function, which
++ * unfortunately means it may not be hardened to work in a panic
++ * situation.
++ */
++ smp_send_stop();
+
+ /*
+ * Run any panic handlers, including those that might need to
diff --git a/debian/patches/debian/vfs-avoid-abi-change-for-mnt-add-a-per-mount-namespace-limit.patch b/debian/patches/debian/vfs-avoid-abi-change-for-mnt-add-a-per-mount-namespace-limit.patch
new file mode 100644
index 0000000..2af8cf3
--- /dev/null
+++ b/debian/patches/debian/vfs-avoid-abi-change-for-mnt-add-a-per-mount-namespace-limit.patch
@@ -0,0 +1,25 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Sun, 02 Apr 2017 01:56:55 +0100
+Subject: vfs: Avoid ABI change for "mnt: Add a per mount namespace limit ..."
+Forwarded: not-needed
+
+Commit d29216842a85c7970c536108e093963f02714498 added two new fields
+to struct mnt_namespace. This structure is not exposed to OOT modules
+(as it is defined in fs/mount.h) and is always instantiated in the
+core kernel. Therefore hide the change from genksyms.
+
+---
+
+--- a/fs/mount.h
++++ b/fs/mount.h
+@@ -11,8 +11,10 @@ struct mnt_namespace {
+ u64 seq; /* Sequence number to prevent loops */
+ wait_queue_head_t poll;
+ u64 event;
++#ifndef __GENKSYMS__
+ unsigned int mounts; /* # of mounts in the namespace */
+ unsigned int pending_mounts;
++#endif
+ };
+
+ struct mnt_pcp {
diff --git a/debian/patches/features/all/net-add-__sock_queue_rcv_skb.patch b/debian/patches/features/all/net-add-__sock_queue_rcv_skb.patch
deleted file mode 100644
index 1d9b80e..0000000
--- a/debian/patches/features/all/net-add-__sock_queue_rcv_skb.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From: Ben Hutchings <ben at decadent.org.uk>
-Date: Thu, 29 Dec 2016 03:06:54 +0000
-Subject: net: Add __sock_queue_rcv_skb()
-Forwarded: not-needed
-
-Extraxcted from commit e6afc8ace6dd5cef5e812f26c72579da8806f5ac
-"udp: remove headers from UDP packets before queueing".
-
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
----
---- a/include/net/sock.h
-+++ b/include/net/sock.h
-@@ -2026,6 +2026,7 @@ void sk_reset_timer(struct sock *sk, str
-
- void sk_stop_timer(struct sock *sk, struct timer_list *timer);
-
-+int __sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb);
- int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb);
-
- int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb);
---- a/net/core/sock.c
-+++ b/net/core/sock.c
-@@ -432,9 +432,8 @@ static void sock_disable_timestamp(struc
- }
-
-
--int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
-+int __sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
- {
-- int err;
- int skb_len;
- unsigned long flags;
- struct sk_buff_head *list = &sk->sk_receive_queue;
-@@ -445,10 +444,6 @@ int sock_queue_rcv_skb(struct sock *sk,
- return -ENOMEM;
- }
-
-- err = sk_filter(sk, skb);
-- if (err)
-- return err;
--
- if (!sk_rmem_schedule(sk, skb, skb->truesize)) {
- atomic_inc(&sk->sk_drops);
- return -ENOBUFS;
-@@ -478,6 +473,18 @@ int sock_queue_rcv_skb(struct sock *sk,
- sk->sk_data_ready(sk);
- return 0;
- }
-+EXPORT_SYMBOL(__sock_queue_rcv_skb);
-+
-+int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
-+{
-+ int err;
-+
-+ err = sk_filter(sk, skb);
-+ if (err)
-+ return err;
-+
-+ return __sock_queue_rcv_skb(sk, skb);
-+}
- EXPORT_SYMBOL(sock_queue_rcv_skb);
-
- int sk_receive_skb(struct sock *sk, struct sk_buff *skb, const int nested)
diff --git a/debian/patches/features/x86/apple-tb/pci-suspend-resume-quirks-for-apple-thunderbolt.patch b/debian/patches/features/x86/apple-tb/pci-suspend-resume-quirks-for-apple-thunderbolt.patch
index b6785bf..aa2cdb6 100644
--- a/debian/patches/features/x86/apple-tb/pci-suspend-resume-quirks-for-apple-thunderbolt.patch
+++ b/debian/patches/features/x86/apple-tb/pci-suspend-resume-quirks-for-apple-thunderbolt.patch
@@ -30,9 +30,9 @@ Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
-@@ -3084,6 +3084,103 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_A
- DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0032, quirk_no_bus_reset);
+@@ -3085,6 +3085,103 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_A
DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x003c, quirk_no_bus_reset);
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0033, quirk_no_bus_reset);
+#ifdef CONFIG_ACPI
+/*
diff --git a/debian/patches/series b/debian/patches/series
index bde7f54..5af4a72 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -241,10 +241,6 @@ bugfix/all/xfrm-override-skb-mark-with-tunnel-parm.i_key-in-xfr.patch
bugfix/all/ip_vti-ip6_vti-preserve-skb-mark-after-rcv_cb-call.patch
bugfix/all/revert-usb-hub-do-not-clear-bos-field-during-reset-d.patch
bugfix/all/ecryptfs-fix-handling-of-directory-opening.patch
-bugfix/all/revert-fs-give-dentry-to-inode_change_ok-instead-of-inode.patch
-bugfix/all/xfs-propagate-dentry-down-to-inode_change_ok.patch
-bugfix/all/fuse-propagate-dentry-down-to-inode_change_ok.patch
-bugfix/all/fs-give-dentry-to-inode_change_ok-instead-of-inode.patch
bugfix/all/-xen-blkfront-fix-accounting-of-reqs-when-migrating.patch
bugfix/all/locking-mutex-don-t-assume-task_running.patch
bugfix/all/SUNRPC-fix-refcounting-problems-with-auth_gss-messag.patch
@@ -662,50 +658,6 @@ features/all/chaoskey/hwrng-chaoskey-Fix-URB-warning-due-to-timeout-on-Ale.patch
features/all/chaoskey/chaoskey-3.16-no-hwrng-quality.patch
# Security fixes
-bugfix/all/sg-fix-double-free-when-drives-detach-during-sg_io.patch
-bugfix/all/perf-fix-race-in-swevent-hash.patch
-bugfix/all/tty-prevent-ldisc-drivers-from-re-using-stale-tty-fi.patch
-bugfix/all/usb-gadget-f_fs-fix-use-after-free.patch
-bugfix/all/hid-core-prevent-out-of-bound-readings.patch
-bugfix/all/netfilter-nfnetlink-correctly-validate-length-of-bat.patch
-bugfix/all/net-ping-check-minimum-size-on-icmp-header-length.patch
-features/all/net-add-__sock_queue_rcv_skb.patch
-bugfix/all/rose-limit-sk_filter-trim-to-payload.patch
-bugfix/all/dccp-limit-sk_filter-trim-to-payload.patch
-bugfix/all/tcp-take-care-of-truncations-done-by-sk_filter.patch
-bugfix/all/mpi-fix-null-ptr-dereference-in-mpi_powm-ver-3.patch
-bugfix/all/packet-fix-race-condition-in-packet_set_ring.patch
-bugfix/x86/fix-potential-infoleak-in-older-kernels.patch
-bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch
-bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-ker.patch
-bugfix/x86/kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret.patch
-bugfix/all/net-avoid-signed-overflows-for-so_-snd-rcv-bufforce.patch
-bugfix/all/alsa-pcm-call-kill_fasync-in-stream-lock.patch
-bugfix/all/perf-Fix-event-ctx-locking.patch
-bugfix/all/perf-do-not-double-free.patch
-bugfix/all/perf-core-Fix-concurrent-sys_perf_event_open-vs.-mov.patch
-bugfix/all/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch
-bugfix/all/fbdev-color-map-copying-bounds-checking.patch
-bugfix/all/sysctl-drop-reference-added-by-grab_header-in-proc_sys_readdir.patch
-bugfix/x86/kvm-x86-fix-emulation-of-mov-ss-null-selector.patch
-bugfix/x86/kvm-x86-introduce-segmented_write_std.patch
-bugfix/all/selinux-fix-off-by-one-in-setprocattr.patch
-bugfix/all/usb-serial-kl5kusb105-fix-line-state-error-handling.patch
-bugfix/all/tmpfs-clear-s_isgid-when-setting-posix-acls.patch
-bugfix/all/ip6_gre-fix-ip6gre_err-invalid-reads.patch
-bugfix/x86/kvm-fix-page-struct-leak-in-handle_vmon.patch
-bugfix/all/ipv4-keep-skb-dst-around-in-presence-of-ip-options.patch
-bugfix/all/ipc-shm-Fix-shmat-mmap-nil-page-protection.patch
-bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch
-bugfix/all/sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch
-bugfix/all/tcp-avoid-infinite-loop-in-tcp_splice_read.patch
-bugfix/all/net-sock-add-sock_efree.patch
-bugfix/all/net-llc-avoid-BUG_ON-in-skb_orphan.patch
-bugfix/all/packet-fix-races-in-fanout_add.patch
-bugfix/all/TTY-n_hdlc-fix-lockdep-false-positive.patch
-bugfix/all/tty-n_hdlc-get-rid-of-racy-n_hdlc.tbuf.patch
-bugfix/x86/kvm-nvmx-allow-l1-to-intercept-software-exceptions-bp-and-of.patch
-bugfix/all/irda-fix-lockdep-annotations-in-hashbin_delete.patch
# Fix ABI changes
debian/of-fix-abi-changes.patch
@@ -760,3 +712,8 @@ debian/revert-arm64-define-at_vector_size_arch-for-arch_dlinfo.patch
debian/revert-s390-define-at_vector_size_arch-for-arch_dlinfo.patch
debian/revert-block-fix-bdi-vs-gendisk-lifetime-mismatch.patch
debian/net-fix-abi-change-for-sk_filter-changes.patch
+debian/arm64-ptrace-avoid-abi-change-in-3.16.42.patch
+debian/revert-x86-panic-replace-smp_send_stop-with-kdump-friendly-version.patch
+debian/net-avoid-abi-change-for-net-fix-sk_mem_reclaim_partial.patch
+debian/vfs-avoid-abi-change-for-mnt-add-a-per-mount-namespace-limit.patch
+debian/mmc-avoid-abi-change-for-mmc-core-annotate-cmd_hdr-as-__le32.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list